Re: chkrootkit

To: debian-user@lists.debian.org
Subject: Re: chkrootkit
From: Micha Feigin <michf@post.tau.ac.il>
Date: Thu, 22 Jan 2004 04:54:24 +0200
Message-id: <[🔎] 20040122025424.GG29494@luna.mooo.com>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 32A62ECA-4C6F-11D8-8BF4-003065AF7D80@natetech.com>
References: <[🔎] 200401211837.10747@sandersweb.net> <[🔎] 32A62ECA-4C6F-11D8-8BF4-003065AF7D80@natetech.com>

On Wed, Jan 21, 2004 at 05:09:08PM -0700, Nate Duehr wrote:
> 
> On Wednesday, Jan 21, 2004, at 16:38 America/Denver, David Sanders 
> wrote:
> 
> >I just ran chkrootkit for the first time on a woody machine and got:
> >
> >Checking `lkm'... You have     1 process hidden for ps command
> >Warning: Possible LKM Trojan installed
> >
> >Checking `sniffer'...
> >PROMISC mode detected in one of these interfaces: eth0 sit0
> >
> >What are these warnings and what should I do?
> 
> Of course you should take any and all warnings seriously until proven 
> otherwise, but I remember seeing that exact warning from a fairly 
> recently built box with a fairly new kernel on it and then doing some 
> Google searching and finding out that most modern kernels will false a 
> few warnings like that LKM Trojan warning because of some setting I 
> don't quite remember right now.
> 

Some of the kernel thread used to show up in ps as pid 0 but they are
actually some higher pid and thus their actual pid doesn't show up in
ps. Thats what used to cause the problem. It currently doesn't show
that on my system, don't know when it was changed.

Check the archives, there were several threads on the subject. Don't
remember the command but there was one of the commands I think under
/usr/lib/chkrootkit that showed which processes it thinks are
lkm. Maybe someone else can help.

Also try running it several times in a row and see if that value
changes as processes started right along with chkrootkit can fowl the
test (check the docs, there is something about that).

> The PROMISC seems straightforward - something has one of your network 
> interfaces in promiscuous mode.  You can double-check this with the 
> ifconfig command... most likely it's IDS software or something similar.
> 
> If you're not sure why it's saying that, there could be something else 
> going on.  Double check the results with system commands, and if you 
> have a reason to believe the box was really compromised, don't trust 
> the system commands.  :-)
> 
> Catch-22, but you get a feel for it after a while.  Especially if you 
> know how chkrootkit behaves on your favorite kernel/distro after a 
> fresh load of software.
> 
> --
> Nate Duehr, nate@natetech.com
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact 
> listmaster@lists.debian.org
>

Reply to:

Follow-Ups:
- Re: chkrootkit
  - From: "Felix C. Stegerman" <quix@free.fr>

References:
- chkrootkit
  - From: David Sanders <debian@sandersweb.net>
- Re: chkrootkit
  - From: Nate Duehr <nate@natetech.com>

Prev by Date: Re: Semi-Old Video Card Recommendation
Next by Date: make the left speaker a copy of the right with amixer?
Previous by thread: Re: chkrootkit
Next by thread: Re: chkrootkit
Index(es):
- Date
- Thread