Re: [cobalt-security] chkrootkit LKM Detection?

[Eric Frisch <ericf@xxxxxxxxxxx>]

On Sun, 2003-10-05 at 11:49, James Zawacki wrote:
> Hello,  Just out of the blue, I've just started receiving these in my chkrootkit output some nights.  Other nights it doesn't show up.
> 

I have seen this and I went crazy testing a whole bunch of machines only
to find it was a false positive in my case.  The one box in question was
running sendmail and was routing a lot of messages to an internal mail
server.  Many sendmail child processes were being forked and there is a
bit of a race condition there if the process count is changing very
rapidly, i.e. if the count changes between the ps and chkrootkit tests. 
There are potentially a number of things that could cause rapid process
count changes like shell scripts or stuff launched by inetd so the
trigger could be something other than sendmail.  I guess you could wrap
chkrootkit an a small script that does three tests in succession and
only warns you on multiple failures or see if there is a way to decrease
the latency in the chkrootkit test.

Eric

> <snip>
> Checking `lkm'... You have     2 process hidden for readdir command
> You have     2 process hidden for ps command
> Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'... eth0 is not promisc
> </snip>
> 
> Now, from my research, it soulds like it's common under RedHat?  But, why did it just start happening, and why only on this box?  None of my other Raq4's are showing this.
> 
> Thanks,
> James
> 
> 
> 
> 
> ---------------------------------------------------------------
> http://www.customlynx.com - Low cost web authoring and hosting!
> Get your FREE E-mail address or give them out! (culymail.com)
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security