Re: My machine compromised?

To: debian-user <debian-user@lists.debian.org>
Subject: Re: My machine compromised?
From: Ray of Power Web <tech13@powerweb.net>
Date: Thu, 4 Dec 2003 18:07:06 -0600
Message-id: <[🔎] auto-000082865247@powerweb.net>
In-reply-to: <[🔎] 20031204230936.GB3207@luna.mooo.com>
References: <[🔎] 1070442213.1327.7.camel@debian> <1070519890.1248.8.camel@debian> <[🔎] 20031204230936.GB3207@luna.mooo.com>

don't know if its normal, but vmware3 does something that causes 
chkrootkit to see 1 hidden process for me.  wasn't activly using it 
at the time, so maybe if you have the vm running it causes more 
hidden processes.

On Thursday 04 December 2003 17:09, Micha Feigin wrote:
> First thing, you sent this to me instead of the list which seems
> like what you wanted considering the last question.
>
> On Wed, Dec 03, 2003 at 10:38:10PM -0800, Vanh Phom wrote:
> > On Wed, 2003-12-03 at 02:07, Micha Feigin wrote:
> > > On Wed, Dec 03, 2003 at 01:03:34AM -0800, Vanh Phom wrote:
> > > > Hi folk,
> > > > After reading on report of servers compromised. Just for
> > > > curiorsity I run chkrootkit on my own machine and come up
> > > > with this result:
> > > >
> > > > Searching for anomalies in shell history files... nothing
> > > > found Checking `asp'... not infected
> > > > Checking `bindshell'... not infected
> > > > Checking `lkm'... You have    12 process hidden for readdir
> > > > command You have    12 process hidden for ps command
> > > > Warning: Possible LKM Trojan installed
> > > > Checking `rexedcs'... not found
> > > > Checking `sniffer'...
> > > > eth0: PROMISC
> > > >
> > > > Is my machine compromised? How to fix this?
> > > >
> > > > Vanh
> > >
> > > If its unstable, then there is a bug with chkrootkit.
> > > do a ps ax and see how many processes you have with pid 0.
> > > Don't remember the criterion, but some processes owned by the
> > > kernel are started with the kernel's pid which is 0 (I hope I
> > > am not mixing things up, but that is the essential idea, search
> > > the archives on this if you want the exact story).
> > > also try running  /usr/lib/chkrootkit/chkproc  -v and it will
> > > tell you exactly which processes are seen as hidden. You can
> > > then try to do: cat /proc/<pid>/status (hoping that wasn't
> > > compromised if the computer was, which it probably wasn't) to
> > > see what the process actually is.
> > >
> > > > --
> > > > To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
> > > > with a subject of "unsubscribe". Trouble? Contact
> > > > listmaster@lists.debian.org
> >
> > I'm running 2.6.0test11 sid.
> > /usr/lib/chkrootkit/chkproc -v report no pid 0
>
> This will not show you pid 0 but what pids it thinks are hidden.
> You should see pid 0 on ps ax.
> What pid does ps ax shows for those processes? could it be that
> they have the same pid as their parent process instead of a
> seperate pid?
>
> > cat /proc/<pid>/status report all 8 process are either nautilus
> > or evolution as sleep.
> > I guess is just a false positive for checkrootkit. I'm just
> > starting to run debian in the last month or so. So I'm pretty
> > green on debian. BTW, is anyone know how how to setup guarddog to
> > start whenever the machine is booting. On SuSe the firewall
> > automatically configure to start when machine is booting.
> >
> > Vanh

Reply to:

References:
- My machine compromised?
  - From: Vanh Phom <vphom@comcast.net>
- Re: My machine compromised?
  - From: Micha Feigin <michf@post.tau.ac.il>

Prev by Date: Re: I'm face Few problem , need suggestion
Next by Date: Re: Debian Server Compromise -- A Fire Drill ??
Previous by thread: Re: My machine compromised?
Next by thread: Re: My machine compromised?
Index(es):
- Date
- Thread