[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Raq550 Chkroot Command results -HELP

Subject: Re: [cobalt-users] Raq550 Chkroot Command results -HELP
From: "John D. Gorena" <Support@xxxxxxxxxxxxxxxxxxx>
Date: Wed Mar 19 06:00:01 2003
Organization: http://www.JMG-Enterprises.com
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

"John D. Gorena" wrote:
> 
> I ran a checkroot and now I see this section changed
> 
> Checking `lkm'... You have     1 process hidden for readdir command
> You have     1 process hidden for ps command
> Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'...
> eth0 is not promisc
> eth1 is not promisc
> 
> What is it and how tdo I get rid of it.
> 
> John

Sorry group - I was in "panic city".  I finally found a response from Michael Stauber that explained
it.  I ran chkroot again and it did not show any problems.  Apparently Michael was right again. 
Thanks.

Below is his response from the archives......

John

=================

The hidden process check in chkrootkit can and will sometimes report hidden 
processes when there are none. Please be aware of these *false* alarms which 
will happen mostly when you're running many dynamic processes. Like Apache, 
MySQL or ASP. 

Why does it happen? Chkrootkit compares the processes in the /proc/ directory 
with those shown by the command "ps". If both outputs don't match, then it'll 
give alert. However, the comparision takes a few moments and if a process 
ends (naturally or forced) during the comparision, then that will cause an 
false alarm.

You shouldn't trust the LKM test in chkrootkit fully and should run some 
manual checks to see what's up if you're warned about a possible LKM.

How to run the test manually for cross checking:

As root:

 cd /home/security/chkrootkit/ (or to wherever your chkrootkit is installed)
 ./chkrootkit -x lkm

That will show a detailed listing of the suspicious processes in question and 
can help you to look further into the issue. If the listing comes up empty 
(see example below), then there is nothing to worry about.

[root admin]# cd /home/security/chkrootkit/
[root chkrootkit]# ./chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v
###

However, if it returns a couple of numbers, then those are the process IDs of 
the hidden processes. If repeated runs of "chkrootkit -x lkm" report such 
process IDs, then you should indeed be worried.

-- 

With best regards,

Michael Stauber

References:
- [cobalt-users] Raq550 Chkroot Command results -HELP
  - From: John D. Gorena

Prev by Date: Re: [cobalt-users] Raq550 Chkroot Command results -HELP
Next by Date: Re: [cobalt-users] Raq550 Chkroot Command results -HELP
Previous by thread: Re: [cobalt-users] Raq550 Chkroot Command results -HELP
Next by thread: [cobalt-users] Mod Geoip

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index