[clug] chkrootkit: LKM Trojan?

Pearl Louis pearl.louis at anu.edu.au
Mon Mar 29 15:50:02 GMT 2004 

Hi

Something weird is going on.  I've got Mandrake 10 installed and as far as I 
can tell the security patches released after it are installed.  I run 
chkrootkit weekly (which I download fresh from the website each time).  This 
is the first time I've run it since I've installed Mandrake 10 (which has the 
2.6 kernel).  

It gives me the output:

Checking `lkm'... You have     6 process hidden for readdir command
You have     6 process hidden for ps command
Warning: Possible LKM Trojan installed

OK, panic time.
Use netstat, confirm I have no ports open.  After I installed Mandrake I went 
and manually turned off everything.

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
PID/Program name
udp        0      0 0.0.0.0:667             0.0.0.0:*                           
2611/xinetd

Netstat could have been compromised though.
nmap says that all ports are closed.

./chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
PID  3151: not in readdir output
PID  3151: not in ps output
CWD  3151: /home/tehanu
EXE  3151: /usr/bin/xmms
PID  3154: not in readdir output
PID  3154: not in ps output
CWD  3154: /home/tehanu
EXE  3154: /usr/bin/xmms
PID  3158: not in readdir output
PID  3158: not in ps output
CWD  3158: /home/tehanu
EXE  3158: /usr/bin/kontact
PID  3159: not in readdir output
PID  3159: not in ps output
CWD  3159: /home/tehanu
EXE  3159: /usr/bin/kontact
PID  3411: not in readdir output
PID  3411: not in ps output
CWD  3411: /home/tehanu
EXE  3411: /usr/bin/galeon-bin
PID  3412: not in readdir output
PID  3412: not in ps output
CWD  3412: /home/tehanu
EXE  3412: /usr/bin/galeon-bin
PID  5031: not in readdir output
PID  5031: not in ps output
CWD  5031: /home/tehanu
EXE  5031: /usr/bin/galeon-bin
PID  5032: not in readdir output
PID  5032: not in ps output
CWD  5032: /home/tehanu
EXE  5032: /usr/bin/galeon-bin

OK, so I exit out of galeon, kontact and xmms and then I get:

ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###

I turn kontact back on and get:

ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
PID  5176: not in readdir output
PID  5176: not in ps output
CWD  5176: /home/tehanu
EXE  5176: /usr/bin/kontact
PID  5177: not in readdir output
PID  5177: not in ps output
CWD  5177: /home/tehanu
EXE  5177: /usr/bin/kontact
You have     2 process hidden for readdir command
You have     2 process hidden for ps command

Turn kontact off, chkrootkit is happy, turn kontact on, chkrootkit warns me of 
the possible LKM Trojan.  Ditto with xmms and galeon.

What on earth is going on?  Is this a bug with chkrootkit?  A quick google 
search seems to suggest that chkrootkit gives false positives with the LKM 
Trojan on some recent systems.  Is this the case here? 

So any ideas guys?

Pearl

More information about the linux mailing list