Re: [cobalt-users] Hacked?

[flash22@xxxxxxx]

On Fri, 2 Mar 2001, Cable Dude wrote:

> When we run chkrootkit we get:
> Searching for Ramen Worm files and dirs... Nothing found
> Checking `lkm'... Nothing detected
...
> <then we run it again and get the following:>
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Unicode/Map/.packlist
... 
> Searching for Ramen Worm files and dirs... Nothing found
> Checking `lkm'... 
> you have 2 processes hidden for readdir command
> you have 2 processes hidden for ps command
> possible LKM Trojan

First, the .packlist files are ok, i in fact sent the author a note about
suppressing them when they fit certain parameters as they are annoying ;)
(possible next version)

Second, you have to understand how chkrootkit works, to find hidden
things, it's comparing the output of /proc with what it gets from
commands, there is a small time window in there, if a new process starts up
right
in between, you will get a spurious result because the new process will
show up in proc but the scan has already read the old info, if you run it
again very shortly after (eg a second) and don't get it this is probably
what's going on, note that you are supposed to run this on a idle
machine...

the readdir test has a similar issue, if a program creates a file just
while it is looking, you will get a hit that's meaningless.

however, of you are getting consistant hits sometimes, and consistant
failures others, it might be an indication of something hidden most of the
time that's only active at certain times (ie running from cron) very
common trick...

chkrootkit is designed to be an easy way to test for commonly seen things,
it's not a panacia for intrusion testing...

gsh