1 |
On Sunday 16 July 2006 15:54, Dave S wrote: |
2 |
> On Sunday 16 July 2006 19:54, Hemmann, Volker Armin wrote: |
3 |
> > On Sunday 16 July 2006 20:25, Dave S wrote: |
4 |
> > > HI, I have a potential security problem ... |
5 |
> > > |
6 |
> > > and err its not on gentoo, its on ubuntu but I am not getting any |
7 |
> > > response there & you guys are the most tech bunch I know - Thought I |
8 |
> > > would lay it on the table :) |
9 |
> > > |
10 |
> > > I just had an email from chkrootkit last night - |
11 |
> > > |
12 |
> > > --- |
13 |
> > > |
14 |
> > > The following suspicious files and directories were found: |
15 |
> > > |
16 |
> > > You have 3 process hidden for readdir command |
17 |
> > > You have 3 process hidden for ps command |
18 |
> > > chkproc: Warning: Possible LKM Trojan installed |
19 |
> > > |
20 |
> > > --- |
21 |
> > > |
22 |
> > > Running chkrootkit now and all is OK |
23 |
> > > |
24 |
> > > root@dave-comp:~# |
25 |
> > > root@dave-comp:~# chkrootkit | grep chkproc |
26 |
> > > Checking `lkm'... chkproc: nothing detected |
27 |
> > > root@dave-comp:~# |
28 |
> > > |
29 |
> > > I have even 'sudo install --reinstall chkrootkit' in case its binarys |
30 |
> > > have been modified (paranoid) |
31 |
> > |
32 |
> > if you installed using the tools of the system, it could be worthless, |
33 |
> > because compromised. Boot from a cd and check from the cd. |
34 |
> |
35 |
> I understand. Booted from knoppix 5.0.1, executed a |
36 |
> |
37 |
> 'chroot /mnt/hda1 chkrootkit' and a |
38 |
> 'chroot /mnt/hda1 rkhunter -c' |
39 |
> |
40 |
> - both scans brought back nothing. From what I have read the chkrootkit & |
41 |
> rkhunter binarys would have been from the CD and therefore untainted ? Am I |
42 |
> correct ? |
43 |
> |
44 |
> Are there any other checks I can do - re-installing the system is not my |
45 |
> preferred option :) |
46 |
> |
47 |
> Dave |
48 |
|
49 |
Hi Dave, |
50 |
|
51 |
Just went through the same scare with an OLD linux server a few weeks ago. |
52 |
|
53 |
This "could" be a false positive... |
54 |
|
55 |
What you should do is run chkrootkit with verbose option turned on. Take the |
56 |
pids it show you and compare them to what's listed in /proc. |
57 |
|
58 |
Each running process has a pid and it's listed under /proc. In each pid listed |
59 |
under proc there's a /exe link that gives you the path to the program owning |
60 |
the pid. There a /status file that will give you the name of the program. |
61 |
There's other info there also. If there's any discrepancies between what's |
62 |
list in /proc and what ps tells you, you've been infected with LKM for sure. |
63 |
|
64 |
Naturally, you have to be there when chkrootkit complains... |
65 |
|
66 |
But don't stop here... |
67 |
|
68 |
You can also try running rootkit-hunter and compare the output. |
69 |
|
70 |
You can cp known good tools (in your case, ps) from a backup to your infected |
71 |
box and run it to get "true" information. |
72 |
|
73 |
I knew a co-worker that ran "tree" across a suspected infected box and found a |
74 |
number of hidden directories on it. It was indeed infected. |
75 |
|
76 |
Also, if this machine was running a firewall, look in the logs. If you've kept |
77 |
a running archive, hopefully spanning a week or two, you may be able to |
78 |
figure out when and where the attack came from. |
79 |
|
80 |
Hope that helps. |
81 |
|
82 |
Jerry |
83 |
|
84 |
|
85 |
|
86 |
-- |
87 |
gentoo-user@g.o mailing list |