[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Chkrootkit problem

Subject: Re: [cobalt-security] Chkrootkit problem
From: shimi <shimi@xxxxxxxxxxxxxxxx>
Date: Sun, 11 Mar 2001 03:34:21 -0800 (PST)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Probably the RAQ is killing a process while you do the check, so in the
begining u can see it, and after you can't, so he thinks one of the
reports is true.

when does this happen,  for instance?
the webserver has several spawned copies from the source (in ps aux you'll
see one httpd running from "root" - which is the main process, and the
others running from "httpd" - which are his "childs".) you'll notice that
the child's start time is rather very close to the current hour, while the
main process (which is "root") is running from the time you rebooted the
server.
i hope that you can now understand that during the lifetime of the server,
it keeps "giving birth" to new childs after they die "being old" (serving
X users). I think this behaviour is done in order to avoid memory leaks. I
am NOT sure about WHY, but I'm sure it does.
example from my RAQ3:
[admin@www admin]$ ps aux | grep httpd
root       568  0.0  8.7  7604 5512 ?        S    Mar08   0:03
/usr/sbin/httpd -
httpd    28527  0.0  6.5 10296 4160 ?        S    03:45   0:00
/usr/sbin/httpd -
httpd    28531  0.0  9.5 10368 6040 ?        S    03:45   0:00
/usr/sbin/httpd -
httpd    28532  0.0  9.3 10308 5900 ?        S    03:45   0:00
/usr/sbin/httpd -
httpd    28533  0.0  9.3 10308 5900 ?        S    03:45   0:00
/usr/sbin/httpd -
httpd    28534  0.0  9.3 10308 5900 ?        S    03:45   0:00
/usr/sbin/httpd -
httpd    28535  0.0  9.3 10308 5900 ?        S    03:45   0:00
/usr/sbin/httpd -

[admin@www admin]$ date
Sun Mar 11 04:26:15 MST 2001

I know you'll say, "but hey, it's 40 minutes different", and I'll say:
"this raq is currently idling :P"

  Best regards,
     shimi [mailto:shimi@xxxxxxxxxxxxxxxx]

----

There are two major products that come out of Berkeley: LSD and BSD.
We don't believe this to be a coincidence.
   -- Jeremy S. Anderson

 Windows: "Where do you want to go today?"
   Linux: "Where do you want to go tomorrow?"
     BSD: "Are you guys coming or what?"

On Sun, 11 Mar 2001, Lawrence Frewin of Accommodation.com wrote:

> 
> I have started running chkrootkit (from www.chkrootkit.org) on one of our
> RAQ3's with some odd results. If I run Chkrootkit 10 times, one after the
> other, on about 3 of those runs it will randomly return the message:
> 
> "You have1 process hidden for ps command Warning: Possible LKM Trojan
> installed"
> 
> If I run "chkrootkit -x", it also occasionally returns:
> 
> "PID 26192: not in readdir output
> PID 26192: not in ps output
> You have     1 process hidden for readdir command
> You have     1 process hidden for ps command"
> 
> On the other 7 runs out of the 10, chkrootkit finds no problems at all.  The
> hidden processes seemingly live and die very quickly.
> 
> Running "top -i" shows no untoward processes, there is nothing in crontab,
> and nothing else about the machine seems to be unusual.
> 
> This problem does not appear on another recently rebuilt RAQ we have
> however.
> 
> Can anyone enlighten us as to what could be causing it?
> 
> LF
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

References:
- [cobalt-security] Chkrootkit problem
  - From: Lawrence Frewin of Accommodation.com

Prev by Date: Re: [cobalt-security] What is robots.txt?
Next by Date: Re: [cobalt-security] What is robots.txt?
Previous by thread: [cobalt-security] Chkrootkit problem
Next by thread: Re: [cobalt-security] What is robots.txt?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index