Exactly. Analysis, and prevention, still needs to be done. It could be
that there are really hidden processes/threads, that are benign.

On 4/28/06, Paul Patrick C. Prantilla <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I just wanted to mention to the original poster that there are cases of
> false positives regarding the line "You have X process hidden for
> readdir command" from chkrootkit. You can read about them in google.
> I've also experienced such false positives before.
>
> Still, as the others advice...you should of course still take the
> necessary precaution steps. I just thought to mention about false
> positives because I've never actually seem to have reliable output with
> rkhunter or chkrootkit and hardly rely on them anymore...and I read
> about people who feel the same way. I like using file integrity checkers
> like tripwire instead.
>
> -Paul
>
> Xander Solis wrote:
> > Hi,
> >
> > You could try to both into single user mode, and copy ps from another
> > linux machine to check and verify the same output. Dont have the new
> > ps in the same path as the old ps. Or execute the command
> > directly(./ps). You could also use the check-ps, as another
> > alternative, to check and verify the running
> > processes(http://www.la-samhna.de/misc/)
> >
> > Next step is to check and verify if all data backups are intact, you
> > would need it especially if its a production server :) You may
> > eventually need to re-install the server, as you may not know totally,
> > what other malicious code, is in that machine, if you dont employ HIDS
> > to verify the  filesystem integrity.
> >
> > Linux kernel Rootkits are tricky in that they can change the IDT of
> > the running linux machine in realtime, or even if you try to run
> > debugging tools, you will never know, if the actual memory dump you
> > see is of the system.
> >
> > More detailed info are here, on how to handle these incidents:
> > http://www.securityfocus.com/infocus/1738
> >
> > You can check phrack69, on how this technology is done.
> >
> > Detecting kernel level rootkits:
> >
> > http://la-samhna.de/library/rootkits/detect.html
> >
> > Hope this helps dude.. keep backups in the future :)
> >
> > Xander
> >
> >
> >
> > On 4/28/06, seekuel <[EMAIL PROTECTED]> wrote:
> >> Hi guys,
> >>
> >> I'm using CentOS 4.3 as my email server, postfix as MTA, and
> >> open-xchange as webmail.
> >> I installed chkrootkit and rkhunter. The configuration is rkhunter
> >> and chkrootkit will execute evry 3am and email its result to the
> >> administrator account.
> >>
> >> I found this report with chkrootkit and also was surprised that and
> >> email account was
> >> created. I think that the system is compramized.
> >>
> >> How do I deal with this issue?
> >>
> >>  A help is well appreciated.
> >>
> >> Thanks,
> >>
> >> Sandeil
> >>
> >> Here is the output of chkrootkit:
> >> ---------
> >> Checking `asp'... not infected
> >> Checking `bindshell'... not infected
> >> Checking `lkm'... You have 2 process hidden for readdir command
> >>
> >> You have 2 process hidden for ps command
> >> chkproc: Warning: Possible LKM Trojan installed
> >> Checking `rexedcs'... not found
> >> Checking `sniffer'... eth0:
> >> PF_PACKET(/usr/sbin/snort-plain)
> >> Checking `w55808'... not infected
> >>
> >> Checking `wted'... chkwtmp: nothing deleted
> >> Checking `scalper'... not infected
> >> Checking `slapper'... not infected
> >> Checking `z2'... chklastlog: nothing deleted
> >> Checking `chkutmp'... chkutmp: nothing deleted
> >>
> >>
> >>
> >>
> >>
> >> _________________________________________________
> >> Philippine Linux Users' Group (PLUG) Mailing List
> >> [email protected] (#PLUG @ irc.free.net.ph)
> >> Read the Guidelines: http://linux.org.ph/lists
> >> Searchable Archives: http://archives.free.net.ph
> >>
> >>
> >
> >
> > --
> > --
> > Xander R. Solis
> > -----------------------
> > xrsolis.blogspot.com
> >
> > "Don't part with your illusions. When they are gone you may still
> > exist, but you have ceased to live."
> >
> > GNUPG Key: 1024D/5257774A
> > _________________________________________________
> > Philippine Linux Users' Group (PLUG) Mailing List
> > [email protected] (#PLUG @ irc.free.net.ph)
> > Read the Guidelines: http://linux.org.ph/lists
> > Searchable Archives: http://archives.free.net.ph
>
> _________________________________________________
> Philippine Linux Users' Group (PLUG) Mailing List
> [email protected] (#PLUG @ irc.free.net.ph)
> Read the Guidelines: http://linux.org.ph/lists
> Searchable Archives: http://archives.free.net.ph
>


--
--
Xander R. Solis
-----------------------
xrsolis.blogspot.com

"Don't part with your illusions. When they are gone you may still
exist, but you have ceased to live."

GNUPG Key: 1024D/5257774A
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
[email protected] (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph

Reply via email to