Security Basics mailing list archives
Re: Bug in chkrootkit ?
From: Tony Meman <none () superig com br>
Date: Wed, 30 Jul 2003 17:03:11 -0300
Sometimes processes are created and destroyed too fast for chkrootkit and you could get a false alarm. But that doesnt seem to be your case. What chkrootkit does is check ps output against /proc information (which should be the same). Try to change to /proc/PID for eg. /proc/26194 and play with cmdline, environ and the other special files. You can verify where is the binary that's really running, you can even try to get a memory dump of it in case it has been erased from the fs. Check the PATH env variable and PWD from /proc/PID/environ to see where is the binary. I wish you good luck. Regards, -- Marcello Azambuja Michael Weber wrote:
Hi there, i am relatively new to security purposes and in this list. My name ist Michael Weber, i'm Networkadmin from Germany and i hope you can help me to solve this riddle: When starting "chkrootkit" (v 0.38) i get the Message: "You have 4 process hidden for ps command" and the hint for a probably installed "LKM Rootkit". So far, so good. "chkproc" with verbose option enabled (-v) say: [mw@zeus chkrootkit-0.38]# ./chkproc -v PID 26194: not in ps output PID 26195: not in ps output PID 26196: not in ps output PID 26197: not in ps output You have 4 process hidden for ps command That's fine, now we know the PID and can ask... [mw@zeus chkrootkit-0.38]# ps p 26194 PID TTY STAT TIME COMMAND 26194 ? S 0:00 named -u named Seems to be the name daemon, that's okay - a little nameserver for the local net (and only reachable by the local IP) is running. The 3 other deliver the same output.Looks like a bug in "chkrootkit" but - how safe can i be that this is really a bug and not a clever LKM? I guess that a rootkit will not be named "youhavebeencracked"... Sorry for my english, feel free to correct it if necessary. regards, Michael Weber
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Bug in chkrootkit ? Michael Weber (Jul 30)
- RE: Bug in chkrootkit ? Todd Mitchell - lists (Jul 30)
- Re: Bug in chkrootkit ? Michael Weber (Jul 30)
- RE: Bug in chkrootkit ? Todd Mitchell - lists (Jul 30)
- Re: Bug in chkrootkit ? Michael Weber (Jul 30)
- Re: Bug in chkrootkit ? Alex 'CAVE' Cernat (Jul 30)
- Re: Bug in chkrootkit ? Alex 'CAVE' Cernat (Jul 30)
- Re: Bug in chkrootkit ? Juraj Ziegler (Jul 31)
- Re: Bug in chkrootkit ? Douglas J Hunley (Jul 30)
- Re: Bug in chkrootkit ? shrek-m () gmx de (Jul 30)
- Re: Bug in chkrootkit ? entmoot (Jul 30)
- Re: Bug in chkrootkit ? Tony Meman (Jul 30)
- RE: Bug in chkrootkit ? Todd Mitchell - lists (Jul 30)