| 1 |
On Sunday 16 July 2006 15:54, Dave S wrote: |
| 2 |
> On Sunday 16 July 2006 19:54, Hemmann, Volker Armin wrote: |
| 3 |
> > On Sunday 16 July 2006 20:25, Dave S wrote: |
| 4 |
> > > HI, I have a potential security problem ... |
| 5 |
> > > |
| 6 |
> > > and err its not on gentoo, its on ubuntu but I am not getting any |
| 7 |
> > > response there & you guys are the most tech bunch I know - Thought I |
| 8 |
> > > would lay it on the table :) |
| 9 |
> > > |
| 10 |
> > > I just had an email from chkrootkit last night - |
| 11 |
> > > |
| 12 |
> > > --- |
| 13 |
> > > |
| 14 |
> > > The following suspicious files and directories were found: |
| 15 |
> > > |
| 16 |
> > > You have 3 process hidden for readdir command |
| 17 |
> > > You have 3 process hidden for ps command |
| 18 |
> > > chkproc: Warning: Possible LKM Trojan installed |
| 19 |
> > > |
| 20 |
> > > --- |
| 21 |
> > > |
| 22 |
> > > Running chkrootkit now and all is OK |
| 23 |
> > > |
| 24 |
> > > root@dave-comp:~# |
| 25 |
> > > root@dave-comp:~# chkrootkit | grep chkproc |
| 26 |
> > > Checking `lkm'... chkproc: nothing detected |
| 27 |
> > > root@dave-comp:~# |
| 28 |
> > > |
| 29 |
> > > I have even 'sudo install --reinstall chkrootkit' in case its binarys |
| 30 |
> > > have been modified (paranoid) |
| 31 |
> > |
| 32 |
> > if you installed using the tools of the system, it could be worthless, |
| 33 |
> > because compromised. Boot from a cd and check from the cd. |
| 34 |
> |
| 35 |
> I understand. Booted from knoppix 5.0.1, executed a |
| 36 |
> |
| 37 |
> 'chroot /mnt/hda1 chkrootkit' and a |
| 38 |
> 'chroot /mnt/hda1 rkhunter -c' |
| 39 |
> |
| 40 |
> - both scans brought back nothing. From what I have read the chkrootkit & |
| 41 |
> rkhunter binarys would have been from the CD and therefore untainted ? Am I |
| 42 |
> correct ? |
| 43 |
> |
| 44 |
> Are there any other checks I can do - re-installing the system is not my |
| 45 |
> preferred option :) |
| 46 |
> |
| 47 |
> Dave |
| 48 |
|
| 49 |
Hi Dave, |
| 50 |
|
| 51 |
Just went through the same scare with an OLD linux server a few weeks ago. |
| 52 |
|
| 53 |
This "could" be a false positive... |
| 54 |
|
| 55 |
What you should do is run chkrootkit with verbose option turned on. Take the |
| 56 |
pids it show you and compare them to what's listed in /proc. |
| 57 |
|
| 58 |
Each running process has a pid and it's listed under /proc. In each pid listed |
| 59 |
under proc there's a /exe link that gives you the path to the program owning |
| 60 |
the pid. There a /status file that will give you the name of the program. |
| 61 |
There's other info there also. If there's any discrepancies between what's |
| 62 |
list in /proc and what ps tells you, you've been infected with LKM for sure. |
| 63 |
|
| 64 |
Naturally, you have to be there when chkrootkit complains... |
| 65 |
|
| 66 |
But don't stop here... |
| 67 |
|
| 68 |
You can also try running rootkit-hunter and compare the output. |
| 69 |
|
| 70 |
You can cp known good tools (in your case, ps) from a backup to your infected |
| 71 |
box and run it to get "true" information. |
| 72 |
|
| 73 |
I knew a co-worker that ran "tree" across a suspected infected box and found a |
| 74 |
number of hidden directories on it. It was indeed infected. |
| 75 |
|
| 76 |
Also, if this machine was running a firewall, look in the logs. If you've kept |
| 77 |
a running archive, hopefully spanning a week or two, you may be able to |
| 78 |
figure out when and where the attack came from. |
| 79 |
|
| 80 |
Hope that helps. |
| 81 |
|
| 82 |
Jerry |
| 83 |
|
| 84 |
|
| 85 |
|
| 86 |
-- |
| 87 |
gentoo-user@g.o mailing list |
Archives