1 |
On Sunday 16 July 2006 22:25, Jerry McBride wrote: |
2 |
> On Sunday 16 July 2006 15:54, Dave S wrote: |
3 |
> > On Sunday 16 July 2006 19:54, Hemmann, Volker Armin wrote: |
4 |
> > > On Sunday 16 July 2006 20:25, Dave S wrote: |
5 |
> > > > HI, I have a potential security problem ... |
6 |
> > > > |
7 |
> > > > and err its not on gentoo, its on ubuntu but I am not getting any |
8 |
> > > > response there & you guys are the most tech bunch I know - Thought I |
9 |
> > > > would lay it on the table :) |
10 |
> > > > |
11 |
> > > > I just had an email from chkrootkit last night - |
12 |
> > > > |
13 |
> > > > --- |
14 |
> > > > |
15 |
> > > > The following suspicious files and directories were found: |
16 |
> > > > |
17 |
> > > > You have 3 process hidden for readdir command |
18 |
> > > > You have 3 process hidden for ps command |
19 |
> > > > chkproc: Warning: Possible LKM Trojan installed |
20 |
> > > > |
21 |
> > > > --- |
22 |
> > > > |
23 |
> > > > Running chkrootkit now and all is OK |
24 |
> > > > |
25 |
> > > > root@dave-comp:~# |
26 |
> > > > root@dave-comp:~# chkrootkit | grep chkproc |
27 |
> > > > Checking `lkm'... chkproc: nothing detected |
28 |
> > > > root@dave-comp:~# |
29 |
> > > > |
30 |
> > > > I have even 'sudo install --reinstall chkrootkit' in case its binarys |
31 |
> > > > have been modified (paranoid) |
32 |
> > > |
33 |
> > > if you installed using the tools of the system, it could be worthless, |
34 |
> > > because compromised. Boot from a cd and check from the cd. |
35 |
> > |
36 |
> > I understand. Booted from knoppix 5.0.1, executed a |
37 |
> > |
38 |
> > 'chroot /mnt/hda1 chkrootkit' and a |
39 |
> > 'chroot /mnt/hda1 rkhunter -c' |
40 |
> > |
41 |
> > - both scans brought back nothing. From what I have read the chkrootkit & |
42 |
> > rkhunter binarys would have been from the CD and therefore untainted ? Am |
43 |
> > I correct ? |
44 |
> > |
45 |
> > Are there any other checks I can do - re-installing the system is not my |
46 |
> > preferred option :) |
47 |
> > |
48 |
> > Dave |
49 |
> |
50 |
> Hi Dave, |
51 |
> |
52 |
> Just went through the same scare with an OLD linux server a few weeks ago. |
53 |
> |
54 |
> This "could" be a false positive... |
55 |
> |
56 |
> What you should do is run chkrootkit with verbose option turned on. Take |
57 |
> the pids it show you and compare them to what's listed in /proc. |
58 |
> |
59 |
> Each running process has a pid and it's listed under /proc. In each pid |
60 |
> listed under proc there's a /exe link that gives you the path to the |
61 |
> program owning the pid. There a /status file that will give you the name of |
62 |
> the program. There's other info there also. If there's any discrepancies |
63 |
> between what's list in /proc and what ps tells you, you've been infected |
64 |
> with LKM for sure. |
65 |
> |
66 |
> Naturally, you have to be there when chkrootkit complains... |
67 |
|
68 |
Thats the problem it was an automated email at midnight - all looks OK now - |
69 |
apart from my paranoia that is ... |
70 |
|
71 |
> |
72 |
> But don't stop here... |
73 |
> |
74 |
> You can also try running rootkit-hunter and compare the output. |
75 |
|
76 |
Done it - it reports clean |
77 |
> |
78 |
> You can cp known good tools (in your case, ps) from a backup to your |
79 |
> infected box and run it to get "true" information. |
80 |
> |
81 |
> I knew a co-worker that ran "tree" across a suspected infected box and |
82 |
> found a number of hidden directories on it. It was indeed infected. |
83 |
|
84 |
I will look into it. |
85 |
|
86 |
> |
87 |
> Also, if this machine was running a firewall, look in the logs. If you've |
88 |
> kept a running archive, hopefully spanning a week or two, you may be able |
89 |
> to figure out when and where the attack came from. |
90 |
|
91 |
Netgear firewall ADSL NAT, tea machine, router - I will have a look in the |
92 |
logs for anything suspicious - good idea. |
93 |
|
94 |
> |
95 |
> Hope that helps. |
96 |
> |
97 |
> Jerry |
98 |
|
99 |
Cheers |
100 |
|
101 |
Dave |
102 |
-- |
103 |
gentoo-user@g.o mailing list |