[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] I think this may be an issue
- Subject: Re: [cobalt-security] I think this may be an issue
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Sat, 8 Mar 2003 02:00:57 +0100
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> chkroot gave this email message.
>
> `bindshell'... not infected
> Checking `lkm'... You have 2 process hidden for readdir command
> You have 2 process hidden for ps command
> Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
>
> how would I verify if this is true?
The hidden process check can and will sometimes report hidden processes when
there are none. Please be aware of these *false* alarms which will happen
mostly when you're running many dynamic processes. Like Apache, MySQL or ASP.
Why does it happen?
For that we have to take a look at how Chkrootkit works. It compares the
processes in the /proc/ directory with those shown by the command "ps".
If both outputs do not match, then it'll give alert.
However, the comparision takes a few moments and if a process ends
(naturally) during the comparision, then that will cause an false alarm.
You should only worry if you see it on a couple of reports in a row.
How to run the test manually for cross checking:
As root:
cd /home/security/chkrootkit/ (or where your chkrootkit is installed)
./chkrootkit -x lkm
That will show a detailed listing of the suspicious processes in question and
can help you to look further into the issue. If the listing comes up empty
(see example below), then there is nothing to worry about.
[root admin]# cd /home/security/chkrootkit/
[root chkrootkit]# ./chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v
###
So that report came back empty. There are no hidden processes and there is
nothing to worry about.
--
With best regards,
Michael Stauber