Exactly. Analysis, and prevention, still needs to be done. It could be that there are really hidden processes/threads, that are benign.
On 4/28/06, Paul Patrick C. Prantilla <[EMAIL PROTECTED]> wrote: > Hello, > > I just wanted to mention to the original poster that there are cases of > false positives regarding the line "You have X process hidden for > readdir command" from chkrootkit. You can read about them in google. > I've also experienced such false positives before. > > Still, as the others advice...you should of course still take the > necessary precaution steps. I just thought to mention about false > positives because I've never actually seem to have reliable output with > rkhunter or chkrootkit and hardly rely on them anymore...and I read > about people who feel the same way. I like using file integrity checkers > like tripwire instead. > > -Paul > > Xander Solis wrote: > > Hi, > > > > You could try to both into single user mode, and copy ps from another > > linux machine to check and verify the same output. Dont have the new > > ps in the same path as the old ps. Or execute the command > > directly(./ps). You could also use the check-ps, as another > > alternative, to check and verify the running > > processes(http://www.la-samhna.de/misc/) > > > > Next step is to check and verify if all data backups are intact, you > > would need it especially if its a production server :) You may > > eventually need to re-install the server, as you may not know totally, > > what other malicious code, is in that machine, if you dont employ HIDS > > to verify the filesystem integrity. > > > > Linux kernel Rootkits are tricky in that they can change the IDT of > > the running linux machine in realtime, or even if you try to run > > debugging tools, you will never know, if the actual memory dump you > > see is of the system. > > > > More detailed info are here, on how to handle these incidents: > > http://www.securityfocus.com/infocus/1738 > > > > You can check phrack69, on how this technology is done. > > > > Detecting kernel level rootkits: > > > > http://la-samhna.de/library/rootkits/detect.html > > > > Hope this helps dude.. keep backups in the future :) > > > > Xander > > > > > > > > On 4/28/06, seekuel <[EMAIL PROTECTED]> wrote: > >> Hi guys, > >> > >> I'm using CentOS 4.3 as my email server, postfix as MTA, and > >> open-xchange as webmail. > >> I installed chkrootkit and rkhunter. The configuration is rkhunter > >> and chkrootkit will execute evry 3am and email its result to the > >> administrator account. > >> > >> I found this report with chkrootkit and also was surprised that and > >> email account was > >> created. I think that the system is compramized. > >> > >> How do I deal with this issue? > >> > >> A help is well appreciated. > >> > >> Thanks, > >> > >> Sandeil > >> > >> Here is the output of chkrootkit: > >> --------- > >> Checking `asp'... not infected > >> Checking `bindshell'... not infected > >> Checking `lkm'... You have 2 process hidden for readdir command > >> > >> You have 2 process hidden for ps command > >> chkproc: Warning: Possible LKM Trojan installed > >> Checking `rexedcs'... not found > >> Checking `sniffer'... eth0: > >> PF_PACKET(/usr/sbin/snort-plain) > >> Checking `w55808'... not infected > >> > >> Checking `wted'... chkwtmp: nothing deleted > >> Checking `scalper'... not infected > >> Checking `slapper'... not infected > >> Checking `z2'... chklastlog: nothing deleted > >> Checking `chkutmp'... chkutmp: nothing deleted > >> > >> > >> > >> > >> > >> _________________________________________________ > >> Philippine Linux Users' Group (PLUG) Mailing List > >> [email protected] (#PLUG @ irc.free.net.ph) > >> Read the Guidelines: http://linux.org.ph/lists > >> Searchable Archives: http://archives.free.net.ph > >> > >> > > > > > > -- > > -- > > Xander R. Solis > > ----------------------- > > xrsolis.blogspot.com > > > > "Don't part with your illusions. When they are gone you may still > > exist, but you have ceased to live." > > > > GNUPG Key: 1024D/5257774A > > _________________________________________________ > > Philippine Linux Users' Group (PLUG) Mailing List > > [email protected] (#PLUG @ irc.free.net.ph) > > Read the Guidelines: http://linux.org.ph/lists > > Searchable Archives: http://archives.free.net.ph > > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > [email protected] (#PLUG @ irc.free.net.ph) > Read the Guidelines: http://linux.org.ph/lists > Searchable Archives: http://archives.free.net.ph > -- -- Xander R. Solis ----------------------- xrsolis.blogspot.com "Don't part with your illusions. When they are gone you may still exist, but you have ceased to live." GNUPG Key: 1024D/5257774A _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
