subject:"chkrootkit\: false positive\? LKM"

Re: chkrootkit: false positive? LKM

2004-05-25 Diskussionsfäden Gerhard Gaussling

Am Samstag 22 Mai 2004 22:52 schrieb Manfred Sindhoff:
> Gerhard Gaussling wrote:
> > Hallo Liste,
> >
> > ich habe hier folgendes:
> >
> > chkrootkit:
> >
> > Checking `lkm'... You have 9 process hidden for readdir command
> > You have 9 process hidden for ps command
> > Warning: Possible LKM Trojan installed
>
> [...]
>
> > Muß ich mir Sorgen machen?
> > [...]
> [...] Denke aber (auf Holz klopfend), daß es
> sich um false positives handelt, da chkrootkit Programm-Threads nicht
> erkennt, die ab Kernel 2.6, bzw. 2.4 mit Patch, möglich sind.
>
> "The lkm check is known to produce false positives for NPTL kernels
> (2.6 kernels or 2.4 with NPTL patches). Common multithreaded programs
> which will show this behaviour are slapd, mozilla and apache2 if you
> use one of its threading MPMs."
> (http://www.wiggy.net/debian/developer-securing/)
>

Hallo Manfred,

Danke für Deine Antwort. Ich dachte mir schon so etwas. Es gibt ja wohl 
auch nichts wie etwa KSTAT [1] für kernel 2.6.x ?

Was mir jetzt noch zu denken gibt ist die Warnung von kavscanner [2] und 
einige Einträge von samhain [3]

Falls da jemand eine Idee hätte...

ciao

Gerhard


[1] http://www.s0ftpj.org/tools/kstat.tgz
[2] http://www.kaspersky.com/businessoptimal?chapter=4157740 
[2] ( http://la-samhna.de/library/rootkits/detect.html | 
http://la-samhna.de/samhain/index.html | 
http://la-samhna.de/products.html )

Re: chkrootkit: false positive? LKM

2004-05-22 Diskussionsfäden Manfred Sindhoff

Gerhard Gaussling wrote:
Hallo Liste,
ich habe hier folgendes:
chkrootkit:
Checking `lkm'... You have 9 process hidden for readdir command
You have 9 process hidden for ps command
Warning: Possible LKM Trojan installed
[...]
Muß ich mir Sorgen machen?
ciao
Gerhard

Hallo Gerhard,
bei mir sind es sogar 39 Prozesse und seit ich diese Email mit Mozilla 
schreibe sogar 40. Denke aber (auf Holz klopfend), daß es sich um false 
positives handelt, da chkrootkit Programm-Threads nicht erkennt, die ab 
Kernel 2.6, bzw. 2.4 mit Patch, möglich sind.

"The lkm check is known to produce false positives for NPTL kernels (2.6 
kernels or 2.4 with NPTL patches). Common multithreaded programs which 
will show this behaviour are slapd, mozilla and apache2 if you use one 
of its threading MPMs."
(http://www.wiggy.net/debian/developer-securing/)

Gruß,
Manfred
--
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject "unsubscribe". Probleme? Mail an [EMAIL PROTECTED] (engl)

chkrootkit: false positive? LKM

2004-05-20 Diskussionsfäden Gerhard Gaussling

Hallo Liste,

ich habe hier folgendes:

chkrootkit:

Checking `lkm'... You have 9 process hidden for readdir command
You have 9 process hidden for ps command
Warning: Possible LKM Trojan installed

# chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
PID  1278: not in readdir output
PID  1278: not in ps output
CWD  1278: /var/cache/bind
EXE  1278: /usr/sbin/named
PID  1279: not in readdir output
PID  1279: not in ps output
CWD  1279: /var/cache/bind
EXE  1279: /usr/sbin/named
PID  1280: not in readdir output
PID  1280: not in ps output
CWD  1280: /var/cache/bind
EXE  1280: /usr/sbin/named
PID  1292: not in readdir output
PID  1292: not in ps output
CWD  1292: /
EXE  1292: /usr/sbin/lwresd
PID  1293: not in readdir output
PID  1293: not in ps output
CWD  1293: /
EXE  1293: /usr/sbin/lwresd
PID  1294: not in readdir output
PID  1294: not in ps output
CWD  1294: /
EXE  1294: /usr/sbin/lwresd
PID  1751: not in readdir output
PID  1751: not in ps output
CWD  1751: /
EXE  1751: /usr/sbin/ippl
PID  1752: not in readdir output
PID  1752: not in ps output
CWD  1752: /
EXE  1752: /usr/sbin/ippl
PID 10779: not in readdir output
PID 10779: not in ps output
CWD 10779: /home/gerhard
EXE 10779: /usr/bin/python2.3
You have 9 process hidden for readdir command
You have 9 process hidden for ps command


außerdem:

chkrootkit:

Searching for suspicious files and dirs, it may take a while... 
/usr/lib/plt/bin/.libs 
/usr/lib/plt/collects/readline/.DS_Store 
/usr/lib/jdk/1.1/bin/i386/green_threads/.extract_args 
/usr/lib/jdk/1.1/bin/i386/native_threads/.extract_args 
/usr/lib/jdk/1.1/bin/.java_wrapper /usr/lib/blender/.Blanguages 
/usr/lib/blender/.bfont.ttf 
/usr/lib/GNUstep/System/Library/Cenon/Projects/DTP/Advertising.cenon/.gwdir 
/usr/lib/GNUstep/System/Library/Cenon/Projects/DTP/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Projects/Models/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Projects/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Projects/Shapes/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Projects/NoSmoking/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Devices/hpgl/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Devices/din/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Devices/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Devices/gerber/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Examples/ai/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Examples/ps/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Examples/PCB/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Examples/dxf/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Examples/hpgl/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Examples/Gerber/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Examples/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/.dir.tiff 
/usr/lib/GNUstep/System/Library/Cenon/Documentation/.dir.tiff 
/usr/lib/j2se/1.3/bin/.java_wrapper 
/usr/lib/j2se/1.3/jre/bin/.java_wrapper
/usr/lib/plt/bin/.libs

kavscanner warning:

/usr/lib/libcupsimage.so.2

samhain:

-BEGIN MESSAGE-
[2004-05-20T14:55:12+0200] 127.0.0.1
CRIT   :  [2004-05-20T14:54:26+0200] msg=, 
path=, ctime_old=<[2004-05-16T12:53:00]>, 
ctime_new=<[2004-05-20T12:53:56]>, 
CRIT   :  [2004-05-20T14:54:31+0200] msg=, 
path=, ctime_old=<[2004-05-16T12:52:12]>, 
ctime_new=<[2004-05-20T12:52:53]>, 
CRIT   :  [2004-05-20T14:54:31+0200] msg=, 
path=, ctime_old=<[2004-05-16T12:52:12]>, 
ctime_new=<[2004-05-20T12:52:53]>, 
CRIT   :  [2004-05-20T14:54:32+0200] msg=, 
path=, ctime_old=<[2004-05-16T12:52:12]>, 
ctime_new=<[2004-05-20T12:52:53]>, 
CRIT   :  [2004-05-20T14:54:32+0200] msg=, 
path=, ctime_old=<[2004-05-16T12:52:12]>, 
ctime_new=<[2004-05-20T12:52:53]>, 
CRIT   :  [2004-05-20T14:54:32+0200] msg=, 
path=, ctime_old=<[2004-05-16T12:52:12]>, 
ctime_new=<[2004-05-20T12:52:53]>, 
CRIT   :  [2004-05-20T14:55:06+0200] msg=, 
path=, ctime_old=<[2004-05-03T01:47:14]>, 
ctime_new=<[2004-05-16T13:39:53]>, mtime_old=<[2004-05-03T01:47:14]>, 
mtime_new=<[2004-05-16T13:39:53]>, 
CRIT   :  [2004-05-20T14:55:06+0200] msg=, 
path=, ctime_old=<[2004-05-03T01:47:14]>, 
ctime_new=<[2004-05-16T13:39:53]>, mtime_old=<[2004-05-03T01:47:14]>, 
mtime_new=<[2004-05-16T13:39:53]>, 
CRIT   :  [2004-05-20T14:55:06+0200] msg=, 
path=, ctime_old=<[2004-05-03T01:47:14]>, 
ctime_new=<[2004-05-16T13:39:53]>, mtime_old=<[2004-05-03T01:47:14]>, 
mtime_new=<[2004-05-16T13:39:53]>, 
CRIT   :  [2004-05-20T14:55:12+0200] msg=, 
path=, inode_old=<1785977>, inode_new=<1785986>, 
size_old=<312> size_new=<339> ctime_old=<[2003-03-30T22:36:26]>, 
ctime_new=<[2004-05-16T22:57:43]>, mtime_old=<[2003-03-12T20:59:48]>, 
mtime_new=<[2004-05-16T22:57:43]>, 
chksum_old=<5681EE36A91B60A4BE3C05C049EF6699763EF29ABE18E75E>, 
chksum_new=<6D7B9E8F4166B15A00FD00802A09B526E0AE18C8838AAB68>, 

Muß ich mir Sorgen machen?

ciao

Gerhard

Re: chkrootkit: false positive? LKM

Re: chkrootkit: false positive? LKM

chkrootkit: false positive? LKM

3 matches

Site Navigation

Mail list logo

Footer information