chkrootkir LKM Trojan ?
Dave S
ubuntu at pusspaws.net
Mon Jul 17 18:43:12 UTC 2006
On Sunday 16 July 2006 16:50, Derek Broughton wrote:
> Dave S wrote:
> > I just had an email from chkrootkit last night -
> >
> > ---
> >
> > The following suspicious files and directories were found:
> >
> > You have 3 process hidden for readdir command
> > You have 3 process hidden for ps command
> > chkproc: Warning: Possible LKM Trojan installed
> >
> > ---
> >
> > Running chkrootkit now and all is OK
>
> I have exactly the same issue.
Not just me then :)
>
> > (a) I have a trojan, seems unlikely I am behind a netgear router firewall
> > NAT with no incoming ports open. Running nothing more than samba, ssh and
> > unison on the local network though I have to admit I have not hardened my
> > system.
> >
> > (b) Its a false alarm - it is called by /etc/cron.daily so a lot of
> > different scripts are called at the same time - though I have no idea
> > what could have caused it.
>
> Yep, those would be the possibilities :-) I don't know. I think it's
> (b), but I'm uncertain. chkrootkit is remarkably unhelpful about its
> warnings - what does it mean that processes are "hidden"? How does it
> attempt to recognize packet sniffers? It routinely reports dhclient!
Found something interesting that points me to a false +ve ... quote ...
How accurate is chkproc?
If you run chkproc on a server that runs lots of short time processes it
could report some false positives. chkproc compares the ps output with
the /proc contents. If processes are created/killed during this operation
chkproc could point out these PIDs as suspicious.
Dave
> --
> derek
More information about the ubuntu-users
mailing list