--- Begin Message ---
- To: u.rebaudo@rebit.it
- Cc: owner@bugs.debian.org
- Subject: Re: [Fwd: Re: [Fwd: Vserver Chkrootkit result: SIGINVISIBLE Adore found]]
- From: Blars Blarson <blarson@blars.org>
- Date: Mon, 3 Apr 2006 20:07:49 -0700
- Message-id: <200604040307.k3437nuc018267@renig.nat.blars.org>
- In-reply-to: <44318711.6040905@rebit.it>
In article <44318711.6040905@rebit.it> you write: >This is a multi-part message in MIME format. >--------------090703050306000308000209 >Content-Type: text/plain; charset=ISO-8859-1; format=flowed >Content-Transfer-Encoding: 7bit > >Hi, > >I have security problem..... > >I install in the new Debian stable "sarge": > >#apt-get install less pwgen nmap bzip2 zip unzip lynx patch >... >... >#apt-get install kernel-package kernel-source-2.4.27 >kernel-patch-vserver ncurses-dev libdb3-dev initrd-tools >... >... >#gunzip -c >/usr/src/kernel-patches/diffs/vserver/patch-2.4.27-9-vs1.2.10-2.diff.gz > > /usr/src/kernel-patches/diffs/vserver/patch-2.4.27-9-vs1.2.10-2.diff > >#patch -p1 < >/usr/src/kernel-patches/diffs/vserver/patch-2.4.27-9-vs1.2.10-2.diff >... >... >#make dep >#make bzImage >#make modules >#make modules_install >... >... >Grub config.... >... >... >apt-get install util-vserver vserver-debiantools >... >... >create new virtual server >#newvserver.... > >#vserver vs1 start >#vserver vs1 enter > >vs1:/# apt-get install chkrootkit > >dpkg -l result: >ii chkrootkit 0.44-2 Checks for signs of rootkits on the local system > >vsmail:/# chkrootkit -V >chkrootkit version 0.44 > >vs1:/# chkrootkit > > >Searching for anomalies in shell history files... nothing found >Checking `asp'... not infected >Checking `bindshell'... not infected >Checking `lkm'... SIGINVISIBLE Adore found >Warning: Possible LKM Trojan installed >Checking `rexedcs'... not found >Checking `sniffer'... /proc/1/fd: Permission denied >eth0:vsmail: not promisc and no packet sniffer sockets >Checking `w55808'... not infected > > > >incredible!!!!! > >Checking `lkm'... SIGINVISIBLE Adore found >Warning: Possible LKM Trojan installed > > >I try to change more source mirror.... but equal result!!! > > >My question is > >is false positive or new kernel is bad? > >Best regards, > >Ugo Rebaudo. > > > > > > > > > > > > > > > > > > > > >--------------090703050306000308000209 >Content-Type: message/rfc822; > name*0="Re: [Fwd: Vserver Chkrootkit result: SIGINVISIBLE Adore found]" >Content-Transfer-Encoding: 7bit >Content-Disposition: inline; > filename*0="Re: [Fwd: Vserver Chkrootkit result: SIGINVISIBLE Adore foun"; > filename*1="d]" > >Message-ID: <443182D3.7020808@rebit.it> >Disposition-Notification-To: Ugo Rebaudo <u.rebaudo@rebit.it> >Date: Mon, 03 Apr 2006 22:17:23 +0200 >From: Ugo Rebaudo <u.rebaudo@rebit.it> >Reply-To: u.rebaudo@rebit.it >User-Agent: Thunderbird 1.5 (Windows/20051201) >MIME-Version: 1.0 >To: Nelson Murilo <nelson@pangeia.com.br> >Subject: Re: [Fwd: Vserver Chkrootkit result: SIGINVISIBLE Adore found] >X-Priority: 2 (High) >References: <4431433E.3080707@rebit.it> <20060403171930.GA21427@pangeia.com.br> >In-Reply-To: <20060403171930.GA21427@pangeia.com.br> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed >Content-Transfer-Encoding: 7bit >X-Antivirus: avast! (VPS 0614-0, 03/04/2006), Inbound message >X-Antivirus-Status: Clean > >Hi Nelson, > >in the Debian stable "sarge" official version > >vsmail:/# apt-get install chkrootkit > >dpkg -l result: >ii chkrootkit 0.44-2 Checks for signs of rootkits on the local system > >vsmail:/# chkrootkit -V >chkrootkit version 0.44 > >these are the information that I have sended to Herbert Poetzl, >Vserver Project (http://linux-vserver.org) > >I wait you feedbacks, > >thanks, > >Ugo Rebaudo > > > > > >dpkg -l result: > >ii kernel-image-2 2.4.27-10sarge Linux kernel image > for version 2.4.27 n 386 > >ii kernel-package 8.135 A utility for building Linux kernel related > >ii kernel-patch-v 1.9.5.5 context switching virtual private servers - > >ii kernel-source- 2.4.27-10sarge Linux kernel source > for version 2.4.27 with > >My procedure: > >apt-get install kernel-package kernel-source-2.4.27 kernel-patch-vserver >ncurses-dev libdb3-dev initrd-tools >.. >.. >.. >gunzip -c >/usr/src/kernel-patches/diffs/vserver/patch-2.4.27-9-vs1.2.10-2.diff.gz > > /usr/src/kernel-patches/diffs/vserver/patch-2.4.27-9-vs1.2.10-2.diff > >patch -p1 < >/usr/src/kernel-patches/diffs/vserver/patch-2.4.27-9-vs1.2.10-2.diff > > >I run chkrootkit inside the guest (virtual server) > >Please send me result you test, > >Best, > >Ugo Rebaudo. > > >Herbert Poetzl wrote: > > On Mon, Apr 03, 2006 at 05:24:02PM +0200, Ugo Rebaudo wrote: > >> Incredible!!! > >> with all the new vserver created I have this problem: > >> > >> chkrootkit result > >> Possible LKM Trojan installed found!!! > >> > >> I have try to change many sources of mirror > >> without to resolve the problem.... > >> > >> help me! > > > > interesting ... what patch version is that? > > > > when I find a few minutes, I will check if that > > is 'normal' for the chkrootkit on a vserver > > patched kernel, but it sounds suspicious > > > > do you run it inside the guest or on the host? > > > > best, > > Herbert > > > >> reby. > >> > >> > >> Result of chkrootkit version 0.44: > >> ... > >> ... > >> Checking `lkm'... SIGINVISIBLE Adore found > >> Warning: Possible LKM Trojan installed > >> ... > >> ... > >> > >> > >> My configuration: > >> > >> linux:/# vserver-info > >> Versions: > >> Kernel: 2.4.27 > >> VS-API: 0x00010004 > >> util-vserver: 0.30.204; Dec 20 2005, 16:58:50 > >> > >> Features: > >> CC: gcc, gcc (GCC) 3.3.5 (Debian 1:3.3.5-13) > >> CXX: g++, g++ (GCC) 3.3.5 (Debian 1:3.3.5-13) > >> CPPFLAGS: '' > >> CFLAGS: '-Wall -g -O2 -std=c99 -Wall -pedantic -W' > >> CXXFLAGS: '-g -O2 -ansi -Wall -pedantic -W >-fmessage-length=0' > >> build/host: i386-pc-linux-gnu/i386-pc-linux-gnu > >> Use dietlibc: yes > >> Build C++ programs: yes > >> Build C99 programs: yes > >> Available APIs: compat,v11,v13,fscompat,net,oldproc,olduts > >> ext2fs Source: e2fsprogs > >> syscall(2) invocation: fast > >> vserver(2) syscall#: 273/glibc > >> > >> Paths: > >> prefix: /usr > >> sysconf-Directory: /etc > >> cfg-Directory: /etc/vservers > >> initrd-Directory: $(sysconfdir)/init.d > >> pkgstate-Directory: /var/run/vservers > >> Kernelheaders: /usr/include > >> vserver-Rootdir: /var/lib/vservers > >> > >> _______________________________________________ > >> Vserver mailing list > >> Vserver@list.linux-vserver.org > >> http://list.linux-vserver.org/mailman/listinfo/vserver > > _______________________________________________ > > Vserver mailing list > > Vserver@list.linux-vserver.org > > http://list.linux-vserver.org/mailman/listinfo/vserver > > > > > > > > >Nelson Murilo wrote: >> Hi Ugo, >> >> could you check if latest version (0.46a) fix it? >> >> Thanks for your interest in chkrootkit, >> >> ./nelson -murilo >> >> >> >> On Mon, Apr 03, 2006 at 05:46:06PM +0200, Ugo Rebaudo wrote: >>> Incredible!!! >>> with all the new vserver created I have this problem: >>> >>> chkrootkit result >>> Possible LKM Trojan installed found!!! >>> >>> I have try to change many sources of mirror >>> without to resolve the problem.... >>> >>> help me! >>> >>> reby. >>> >>> >>> Result of chkrootkit version 0.44: >>> ... >>> ... >>> Checking `lkm'... SIGINVISIBLE Adore found >>> Warning: Possible LKM Trojan installed >>> ... >>> ... >>> >>> >>> My configuration: >>> >>> linux:/# vserver-info >>> Versions: >>> Kernel: 2.4.27 >>> VS-API: 0x00010004 >>> util-vserver: 0.30.204; Dec 20 2005, 16:58:50 >>> >>> Features: >>> CC: gcc, gcc (GCC) 3.3.5 (Debian 1:3.3.5-13) >>> CXX: g++, g++ (GCC) 3.3.5 (Debian 1:3.3.5-13) >>> CPPFLAGS: '' >>> CFLAGS: '-Wall -g -O2 -std=c99 -Wall -pedantic -W' >>> CXXFLAGS: '-g -O2 -ansi -Wall -pedantic -W >>> -fmessage-length=0' >>> build/host: i386-pc-linux-gnu/i386-pc-linux-gnu >>> Use dietlibc: yes >>> Build C++ programs: yes >>> Build C99 programs: yes >>> Available APIs: compat,v11,v13,fscompat,net,oldproc,olduts >>> ext2fs Source: e2fsprogs >>> syscall(2) invocation: fast >>> vserver(2) syscall#: 273/glibc >>> >>> Paths: >>> prefix: /usr >>> sysconf-Directory: /etc >>> cfg-Directory: /etc/vservers >>> initrd-Directory: $(sysconfdir)/init.d >>> pkgstate-Directory: /var/run/vservers >>> Kernelheaders: /usr/include >>> vserver-Rootdir: /var/lib/vservers >>> >>> >> >> >> > > > >--------------090703050306000308000209-- > You've misdirected an email to owner@bugs.debian.org or one of the aliases that points to it. This email address is only for reporting problems with the Debian bug tracking system itself, including reports of spam that is archived in the Debian bug tracking system. For general information on Debian, see: http://www.debian.org/ To discuss things without submitting a specific bug, please use an appropriate mailing list such as debian-user@lists.debian.org . For a list of Debian mailing lists, see: http://lists.debian.org/ To contact the maintainer of package foobar, send email to foobar@packages.debian.org . To report a new bug please follow the instructions on http://www.debian.org/Bugs/Reporting to submit a bug report. The reportbug command is the recommended way. If you don't know what package to report the bug on, use your best guess or report it to an appropriate pseudo-package. To send information about an existing bug 123, send email to 123@bugs.debian.org . To send to the submitter of 123, use 123-submitter@bugs.debian.org . If the bug is archived (closed for 28 days with no new information) you need to request to owner@bugs.debian.org to unarchive the bug. http://www.debian.org/Bugs/ can be used to search the Debian bug database by various criteria. -- Blars Blarson blarson@blars.org http://www.blars.org/blars.html With Microsoft, failure is not an option. It is a standard feature.
--- End Message ---