Security Basics mailing list archives
Re: Bug in chkrootkit ?
From: entmoot () gmx de
Date: Thu, 31 Jul 2003 00:14:29 +0200
Hi, On Wed Jul 30 01:30PM, Michael Weber wrote:
Hi there, When starting "chkrootkit" (v 0.38) i get the Message: "You have 4 process hidden for ps command" and the hint for a probably installed "LKM Rootkit". So far, so good. "chkproc" with verbose option enabled (-v) say: [mw@zeus chkrootkit-0.38]# ./chkproc -v PID 26194: not in ps output PID 26195: not in ps output PID 26196: not in ps output PID 26197: not in ps output You have 4 process hidden for ps command That's fine, now we know the PID and can ask... [mw@zeus chkrootkit-0.38]# ps p 26194 PID TTY STAT TIME COMMAND 26194 ? S 0:00 named -u named Seems to be the name daemon, that's okay - a little nameserver for the local net (and only reachable by the local IP) is running. The 3 other deliver the same output.Looks like a bug in "chkrootkit" but - how safe can i be that this is really a bug and not a clever LKM? I guess that a rootkit will not be named "youhavebeencracked"...
Does a 'ps auxww' also show the named processes? If not, it's possible, that chkrootkit is right. You also can look with netstat, if 'named' really just listening on your local network. Also, you can try to connect to those ports, to get it a bit clearer, what it really is. greets, andreas --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Bug in chkrootkit ? Michael Weber (Jul 30)
- RE: Bug in chkrootkit ? Todd Mitchell - lists (Jul 30)
- Re: Bug in chkrootkit ? Michael Weber (Jul 30)
- RE: Bug in chkrootkit ? Todd Mitchell - lists (Jul 30)
- Re: Bug in chkrootkit ? Michael Weber (Jul 30)
- Re: Bug in chkrootkit ? Alex 'CAVE' Cernat (Jul 30)
- Re: Bug in chkrootkit ? Alex 'CAVE' Cernat (Jul 30)
- Re: Bug in chkrootkit ? Juraj Ziegler (Jul 31)
- Re: Bug in chkrootkit ? Douglas J Hunley (Jul 30)
- Re: Bug in chkrootkit ? shrek-m () gmx de (Jul 30)
- Re: Bug in chkrootkit ? entmoot (Jul 30)
- Re: Bug in chkrootkit ? Tony Meman (Jul 30)
- RE: Bug in chkrootkit ? Todd Mitchell - lists (Jul 30)