Your message dated Wed, 18 May 2005 15:30:21 +1000
with message-id <[EMAIL PROTECTED]>
and subject line chrootkit bug, glibc or kernel bug
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 31 Dec 2004 09:12:17 +0000
>From [EMAIL PROTECTED] Fri Dec 31 01:12:17 2004
Return-path: <[EMAIL PROTECTED]>
Received: from pd9590d47.dip.t-dialin.net (localhost.localdomain)
[217.89.13.71]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CkIpT-00086G-00; Fri, 31 Dec 2004 01:12:16 -0800
Received: by localhost.localdomain (Postfix, from userid 0)
id 9EC68894A2; Fri, 31 Dec 2004 10:12:19 +0100 (CET)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: procps: ps fails to output several processes; false positives in
chkrootkit
X-Mailer: reportbug 3.2
Date: Fri, 31 Dec 2004 10:12:17 +0100
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: procps
Version: 1:3.2.1-2
Severity: normal
Hi this night I got my daily mail from cron (2004-12-31 6:24):
-----------
/etc/cron.daily/chkrootkit:
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed
ath0: PACKET SNIFFER(/usr/sbin/snort[24730])
----------
while the snort is wanted, I took a detailed look on the possible LKM
Troyan:
# /usr/lib/chkrootkit/chkproc -v -v
PID 25472(/proc/25472): not in readdir output
PID 25472: not in ps output
CWD 25472: /var/lib/mysql
EXE 25472: /usr/sbin/mysqld
PID 25473(/proc/25473): not in readdir output
PID 25473: not in ps output
CWD 25473: /var/lib/mysql
EXE 25473: /usr/sbin/mysqld
PID 29981(/proc/29981): not in readdir output
PID 29981: not in ps output
CWD 29981: /var/lib/zope/script
EXE 29981: /usr/bin/python2.2
PID 29982(/proc/29982): not in readdir output
PID 29982: not in ps output
CWD 29982: /var/lib/zope/script
EXE 29982: /usr/bin/python2.2
PID 29983(/proc/29983): not in readdir output
PID 29983: not in ps output
CWD 29983: /var/lib/zope/script
EXE 29983: /usr/bin/python2.2
PID 29984(/proc/29984): not in readdir output
PID 29984: not in ps output
CWD 29984: /var/lib/zope/script
EXE 29984: /usr/bin/python2.2
Those Processes are perfectly wanted and for
some reasons ps only outputs the first instance of them:
scriptserver:/b/2004-12-31# ps -ef | grep python2.2
root 29974 1 0 Dec20 ? 00:00:00 /usr/bin/python2.2
/usr/lib/zope/z2.py -L [EMAIL PROTECTED] -a 127.0.0.1 -l
/var/log/zope/default/Z2.log --pid /var/run/zope/default/Z2.pid -z
/usr/lib/zope -u zope -w 9673 -F 23456 -M
/var/log/zope/default/Z2-detailed.log -p /var/lib/zope/cgi-bin/default
INSTANCE_HOME=/var/lib/zope/instance/default
SOFTWARE_HOME=/usr/lib/zope/lib/python
zope 29975 29974 0 Dec20 ? 00:00:13 /usr/bin/python2.2
/usr/lib/zope/z2.py -L [EMAIL PROTECTED] -a 127.0.0.1 -l
/var/log/zope/default/Z2.log --pid /var/run/zope/default/Z2.pid -z
/usr/lib/zope -u zope -w 9673 -F 23456 -M
/var/log/zope/default/Z2-detailed.log -p /var/lib/zope/cgi-bin/default
INSTANCE_HOME=/var/lib/zope/instance/default
SOFTWARE_HOME=/usr/lib/zope/lib/python
root 11340 10499 0 10:10 pts/1 00:00:00 grep python2.2
Looks like a bug, eh?
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i586)
Kernel: Linux 2.6.8-1-386
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages procps depends on:
ii libc6 2.3.2.ds1-18 GNU C Library: Shared libraries an
ii libncurses5 5.4-4 Shared libraries for terminal hand
-- no debconf information
---------------------------------------
Received: (at 287962-done) by bugs.debian.org; 18 May 2005 05:30:49 +0000
>From [EMAIL PROTECTED] Tue May 17 22:30:49 2005
Return-path: <[EMAIL PROTECTED]>
Received: from ppp114-209.static.internode.on.net (mail.enc.com.au)
[150.101.114.209]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DYH8q-00085k-00; Tue, 17 May 2005 22:30:49 -0700
Received: from localhost (localhost [127.0.0.1])
by mail.enc.com.au (Postfix) with ESMTP id 682F5B7BE6
for <[EMAIL PROTECTED]>; Wed, 18 May 2005 15:30:45 +1000 (EST)
Received: from mail.enc.com.au ([127.0.0.1])
by localhost (gonzo [127.0.0.1]) (amavisd-new, port 10024) with LMTP
id 09062-01 for <[EMAIL PROTECTED]>;
Wed, 18 May 2005 15:30:23 +1000 (EST)
Received: by mail.enc.com.au (Postfix, from userid 1000)
id 869E8B7D98; Wed, 18 May 2005 15:30:21 +1000 (EST)
Date: Wed, 18 May 2005 15:30:21 +1000
To: [EMAIL PROTECTED]
Subject: chrootkit bug, glibc or kernel bug
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
From: [EMAIL PROTECTED] (Craig Small)
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at enc.com.au
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
This bug looked like a transient bug caused by a combination of
chrootkit, glibc and kernel
--
Craig Small GnuPG:1C1B D893 1418 2AF4 45EE 95CB C76C E5AC 12CA DFA5
Eye-Net Consulting http://www.enc.com.au/ MIEE Debian developer
csmall at : enc.com.au ieee.org debian.org
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
