chkrootkit: false positive? LKM

Gerhard Gaussling Thu, 20 May 2004 07:54:23 -0700

Hallo Liste,

ich habe hier folgendes:


chkrootkit:

Checking `lkm'... You have     9 process hidden for readdir command
You have     9 process hidden for ps command
Warning: Possible LKM Trojan installed

# chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
PID  1278: not in readdir output
PID  1278: not in ps output
CWD  1278: /var/cache/bind
EXE  1278: /usr/sbin/named
PID  1279: not in readdir output
PID  1279: not in ps output
CWD  1279: /var/cache/bind
EXE  1279: /usr/sbin/named
PID  1280: not in readdir output
PID  1280: not in ps output
CWD  1280: /var/cache/bind
EXE  1280: /usr/sbin/named
PID  1292: not in readdir output
PID  1292: not in ps output
CWD  1292: /
EXE  1292: /usr/sbin/lwresd
PID  1293: not in readdir output
PID  1293: not in ps output
CWD  1293: /
EXE  1293: /usr/sbin/lwresd
PID  1294: not in readdir output
PID  1294: not in ps output
CWD  1294: /
EXE  1294: /usr/sbin/lwresd
PID  1751: not in readdir output
PID  1751: not in ps output
CWD  1751: /
EXE  1751: /usr/sbin/ippl
PID  1752: not in readdir output
PID  1752: not in ps output
CWD  1752: /
EXE  1752: /usr/sbin/ippl
PID 10779: not in readdir output
PID 10779: not in ps output
CWD 10779: /home/gerhard
EXE 10779: /usr/bin/python2.3
You have     9 process hidden for readdir command
You have     9 process hidden for ps command


außerdem:

chkrootkit:

Searching for suspicious files and dirs, it may take a while... 
/usr/lib/plt/bin/.libs 
/usr/lib/plt/collects/readline/.DS_Store 
/usr/lib/jdk/1.1/bin/i386/green_threads/.extract_args 
/usr/lib/jdk/1.1/bin/i386/native_threads/.extract_args 
/usr/lib/jdk/1.1/bin/.java_wrapper /usr/lib/blender/.Blanguages 
/usr/lib/blender/.bfont.ttf 
/usr/lib/GNUstep/System/Library/Cenon/Projects/DTP/Advertising.cenon/.gwdir 
/usr/lib/GNUstep/System/Library/Cenon/Projects/DTP/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Projects/Models/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Projects/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Projects/Shapes/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Projects/NoSmoking/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Devices/hpgl/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Devices/din/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Devices/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Devices/gerber/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Examples/ai/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Examples/ps/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Examples/PCB/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Examples/dxf/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Examples/hpgl/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Examples/Gerber/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Examples/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Documentation/.dir.tiff 
/usr/lib/j2se/1.3/bin/.java_wrapper 
/usr/lib/j2se/1.3/jre/bin/.java_wrapper
/usr/lib/plt/bin/.libs

kavscanner warning:

/usr/lib/libcupsimage.so.2

samhain:

-----BEGIN MESSAGE-----
[2004-05-20T14:55:12+0200] 127.0.0.1
CRIT   :  [2004-05-20T14:54:26+0200] msg=<POLICY [ReadOnly] --------T->, 
path=</etc/fetchmailrc>, ctime_old=<[2004-05-16T12:53:00]>, 
ctime_new=<[2004-05-20T12:53:56]>, 
CRIT   :  [2004-05-20T14:54:31+0200] msg=<POLICY [ReadOnly] --------T->, 
path=</etc/cups>, ctime_old=<[2004-05-16T12:52:12]>, 
ctime_new=<[2004-05-20T12:52:53]>, 
CRIT   :  [2004-05-20T14:54:31+0200] msg=<POLICY [ReadOnly] --------T->, 
path=</etc/cups/classes.conf>, ctime_old=<[2004-05-16T12:52:12]>, 
ctime_new=<[2004-05-20T12:52:53]>, 
CRIT   :  [2004-05-20T14:54:32+0200] msg=<POLICY [ReadOnly] --------T->, 
path=</etc/cups/printers.conf>, ctime_old=<[2004-05-16T12:52:12]>, 
ctime_new=<[2004-05-20T12:52:53]>, 
CRIT   :  [2004-05-20T14:54:32+0200] msg=<POLICY [ReadOnly] --------T->, 
path=</etc/cups/ppd>, ctime_old=<[2004-05-16T12:52:12]>, 
ctime_new=<[2004-05-20T12:52:53]>, 
CRIT   :  [2004-05-20T14:54:32+0200] msg=<POLICY [ReadOnly] --------T->, 
path=</etc/cups/cupsd.conf>, ctime_old=<[2004-05-16T12:52:12]>, 
ctime_new=<[2004-05-20T12:52:53]>, 
CRIT   :  [2004-05-20T14:55:06+0200] msg=<POLICY [ReadOnly] --------T->, 
path=</etc/X11/twm>, ctime_old=<[2004-05-03T01:47:14]>, 
ctime_new=<[2004-05-16T13:39:53]>, mtime_old=<[2004-05-03T01:47:14]>, 
mtime_new=<[2004-05-16T13:39:53]>, 
CRIT   :  [2004-05-20T14:55:06+0200] msg=<POLICY [ReadOnly] --------T->, 
path=</etc/X11/twm/system.twmrc>, ctime_old=<[2004-05-03T01:47:14]>, 
ctime_new=<[2004-05-16T13:39:53]>, mtime_old=<[2004-05-03T01:47:14]>, 
mtime_new=<[2004-05-16T13:39:53]>, 
CRIT   :  [2004-05-20T14:55:06+0200] msg=<POLICY [ReadOnly] --------T->, 
path=</etc/X11/twm/menudefs.hook>, ctime_old=<[2004-05-03T01:47:14]>, 
ctime_new=<[2004-05-16T13:39:53]>, mtime_old=<[2004-05-03T01:47:14]>, 
mtime_new=<[2004-05-16T13:39:53]>, 
CRIT   :  [2004-05-20T14:55:12+0200] msg=<POLICY [ReadOnly] C--I----TS>, 
path=</etc/email-addresses>, inode_old=<1785977>, inode_new=<1785986>, 
size_old=<312> size_new=<339> ctime_old=<[2003-03-30T22:36:26]>, 
ctime_new=<[2004-05-16T22:57:43]>, mtime_old=<[2003-03-12T20:59:48]>, 
mtime_new=<[2004-05-16T22:57:43]>, 
chksum_old=<5681EE36A91B60A4BE3C05C049EF6699763EF29ABE18E75E>, 
chksum_new=<6D7B9E8F4166B15A00FD00802A09B526E0AE18C8838AAB68>, 

Muß ich mir Sorgen machen?

ciao

Gerhard

chkrootkit: false positive? LKM

Antwort per Email an