[clug] chkrootkit: LKM Trojan?
Pearl Louis
pearl.louis at anu.edu.au
Mon Mar 29 15:50:02 GMT 2004
Hi
Something weird is going on. I've got Mandrake 10 installed and as far as I
can tell the security patches released after it are installed. I run
chkrootkit weekly (which I download fresh from the website each time). This
is the first time I've run it since I've installed Mandrake 10 (which has the
2.6 kernel).
It gives me the output:
Checking `lkm'... You have 6 process hidden for readdir command
You have 6 process hidden for ps command
Warning: Possible LKM Trojan installed
OK, panic time.
Use netstat, confirm I have no ports open. After I installed Mandrake I went
and manually turned off everything.
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
udp 0 0 0.0.0.0:667 0.0.0.0:*
2611/xinetd
Netstat could have been compromised though.
nmap says that all ports are closed.
./chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
PID 3151: not in readdir output
PID 3151: not in ps output
CWD 3151: /home/tehanu
EXE 3151: /usr/bin/xmms
PID 3154: not in readdir output
PID 3154: not in ps output
CWD 3154: /home/tehanu
EXE 3154: /usr/bin/xmms
PID 3158: not in readdir output
PID 3158: not in ps output
CWD 3158: /home/tehanu
EXE 3158: /usr/bin/kontact
PID 3159: not in readdir output
PID 3159: not in ps output
CWD 3159: /home/tehanu
EXE 3159: /usr/bin/kontact
PID 3411: not in readdir output
PID 3411: not in ps output
CWD 3411: /home/tehanu
EXE 3411: /usr/bin/galeon-bin
PID 3412: not in readdir output
PID 3412: not in ps output
CWD 3412: /home/tehanu
EXE 3412: /usr/bin/galeon-bin
PID 5031: not in readdir output
PID 5031: not in ps output
CWD 5031: /home/tehanu
EXE 5031: /usr/bin/galeon-bin
PID 5032: not in readdir output
PID 5032: not in ps output
CWD 5032: /home/tehanu
EXE 5032: /usr/bin/galeon-bin
OK, so I exit out of galeon, kontact and xmms and then I get:
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
I turn kontact back on and get:
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
PID 5176: not in readdir output
PID 5176: not in ps output
CWD 5176: /home/tehanu
EXE 5176: /usr/bin/kontact
PID 5177: not in readdir output
PID 5177: not in ps output
CWD 5177: /home/tehanu
EXE 5177: /usr/bin/kontact
You have 2 process hidden for readdir command
You have 2 process hidden for ps command
Turn kontact off, chkrootkit is happy, turn kontact on, chkrootkit warns me of
the possible LKM Trojan. Ditto with xmms and galeon.
What on earth is going on? Is this a bug with chkrootkit? A quick google
search seems to suggest that chkrootkit gives false positives with the LKM
Trojan on some recent systems. Is this the case here?
So any ideas guys?
Pearl
More information about the linux
mailing list