[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] [raq 4] possible LKM Trojan installed
- Subject: Re: [cobalt-security] [raq 4] possible LKM Trojan installed
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Wed, 17 Jul 2002 16:03:15 +0200
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Sean,
> You have 2 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> Is there anything that can cause a false reading.. Or have I been
> rooted?
The hidden process check of chkrootkit can and will sometimes report hidden
processes when there are none. These *false* alarms will happen mostly when
you're running many dynamic processes. Like Apache, MySQL or ASP.
Why does it happen? Chkrootkit compares the processes in the /proc/ directory
with those shown by the command "ps". If both outputs don't match, then it'll
give alert. However, the comparision takes a few moments and if a process
ends during the comparision, then that will cause an false alarm.
How to run the test manually for cross checking:
As root:
go to the directory where you have chkrootkit installed and issue the command
shown below:
./chkrootkit -x lkm
That will show a detailed listing of the suspicious processes in question and
can help you to look further into the issue. If the listing comes up empty
(see example below), then there is nothing to worry about.
[root admin]# cd /home/security/chkrootkit/
[root chkrootkit]# ./chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v
###
[root chkrootkit]#
If it shows process numbers instead of the empty listing like shown above,
then you can (and should) start to track down the hidden processes by
evaluating your /proc/ directory manually - with special attention to the
directories with the same number as the hidden processes named by chkrootkit.
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer