[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chkrootkit hidden processes possible LKM Trojan.

Ron Johnson wrote:
On 08/16/08 06:17, Wackojacko wrote:
Hi all

I realise there has been some discussion recently over the merits or otherwise of chkrootkit, but the last two days it is warning of hidden processes (ps and readdir).

After googling a little further I see this has been a problem in the past but was unable to find any recent examples.

However, using

#chkrootkit -x lkm


#chkproc -v -v

and comparing these to the output of ps and ls /proc I have determined that there are processes which do not show up on /proc or ps but I am still able to

#cd /proc/PID

for these processes and then

#cat cmdline

to find out what service is hidden.

The results suggest that icedove-bin and nepomukerserver are the main culprits, but I want to know why!!

I do not have any services running on external ports as I am behind a netgear router and have confirmed this via various external port scan sites. I do run smb, imap (dovecot), postfix, cups and apt-cacher (perl) locally for my internal network.

Am I really rooted?  Anyone else seeing something similar?

Is this your personal workstation?

How is it connected to the Intarweb? Directly, or behind a NATing firewalling router?

If directly, how many services do you have listening to ports? Get a friend to nmap you.

If this is your PC, and are behind a hardware firewall, I seriously doubt that you are compromised.

Hi Ron

Yeah this is my thinking. It is my personal workstation and I only have the services I listed above listening on the local network. I am behind a Netgear Router and external port scans show zilch!

Forgot to mention I am running Sid AMD64 with homerolled 2.6.25 Kernel. Rkhunter shows nothing but they means nothing if the system is compromised.

I suppose the next question is why are these services hiding from me?

Thanks again


Reply to: