LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Kernel (https://www.linuxquestions.org/questions/linux-kernel-70/)
-   -   /proc after 2.6.17.5 (https://www.linuxquestions.org/questions/linux-kernel-70/proc-after-2-6-17-5-a-464553/)

jayjwa 07-16-2006 09:14 AM
/proc after 2.6.17.5
 
Umm...looks like they tightened up security a bit in /proc in 2.6.17.5 after the root race local exploit issue in <= 2.6.17.4 (this was actually 4 screens long, results of running "chkrootkit". As root.)

Code:
...

/proc/3/fd/.: Permission denied
/proc/3/fd/..: Permission denied
/proc/4/fd/.: Permission denied
/proc/4/fd/..: Permission denied
/proc/5/fd/.: Permission denied
/proc/5/fd/..: Permission denied
/proc/6/fd/.: Permission denied
/proc/6/fd/..: Permission denied
/proc/8/fd/.: Permission denied
/proc/8/fd/..: Permission denied
/proc/11/fd/.: Permission denied
/proc/11/fd/..: Permission denied
/proc/13/fd/.: Permission denied
/proc/13/fd/..: Permission denied
/proc/68/fd/.: Permission denied
/proc/68/fd/..: Permission denied
/proc/69/fd/.: Permission denied
/proc/69/fd/..: Permission denied
/proc/70/fd/.: Permission denied
/proc/70/fd/..: Permission denied
/proc/718/fd/.: Permission denied
/proc/718/fd/..: Permission denied
/proc/911/fd/.: Permission denied
/proc/911/fd/..: Permission denied
/proc/911/fd/0: Permission denied
/proc/911/fd/1: Permission denied
/proc/911/fd/2: Permission denied
/proc/911/fd/3: Permission denied
/proc/911/fd/4: Permission denied
/proc/915/fd/.: Permission denied
/proc/915/fd/..: Permission denied
/proc/915/fd/0: Permission denied
/proc/915/fd/1: Permission denied
/proc/915/fd/2: Permission denied
/proc/915/fd/3: Permission denied
/proc/915/fd/4: Permission denied
/proc/915/fd/5: Permission denied
/proc/915/fd/6: Permission denied
/proc/915/fd/7: Permission denied
/proc/915/fd/8: Permission denied
/proc/915/fd/9: Permission denied
/proc/915/fd/10: Permission denied
/proc/915/fd/11: Permission denied
/proc/924/fd/.: Permission denied
/proc/924/fd/..: Permission denied
/proc/924/fd/0: Permission denied
/proc/924/fd/1: Permission denied
/proc/924/fd/2: Permission denied
/proc/924/fd/3: Permission denied
/proc/926/fd/.: Permission denied
/proc/926/fd/..: Permission denied
/proc/926/fd/0: Permission denied
/proc/926/fd/1: Permission denied
/proc/926/fd/2: Permission denied
/proc/926/fd/3: Permission denied
/proc/926/fd/4: Permission denied
/proc/935/fd/.: Permission denied
/proc/935/fd/..: Permission denied
/proc/935/fd/0: Permission denied
/proc/935/fd/1: Permission denied
/proc/935/fd/2: Permission denied
/proc/935/fd/3: Permission denied
/proc/935/fd/4: Permission denied
/proc/949/fd/.: Permission denied
/proc/949/fd/..: Permission denied
/proc/949/fd/0: Permission denied
/proc/949/fd/1: Permission denied
/proc/949/fd/2: Permission denied
/proc/949/fd/3: Permission denied
/proc/949/fd/4: Permission denied
/proc/949/fd/6: Permission denied
/proc/1019/fd/.: Permission denied
/proc/1019/fd/..: Permission denied
/proc/1019/fd/0: Permission denied
/proc/1019/fd/1: Permission denied
/proc/1019/fd/2: Permission denied

...
other results:

Checking LKM... You have 15 process hidden for readdir command
You have 18 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed


I can see the forum subject lines now: "procs hidden, am I hacked? plz help!" ;)

I have a feeling this will break stuff...

unSpawn 07-16-2006 09:24 AM
Please post to the chkrootkit mailinglist chkproc is b0rken.

jayjwa 07-16-2006 08:52 PM
I sent a mail to Nelson (author) and a link to here, because I'm not subscribed to the mailing list. It should have the same effect though.

unSpawn 07-17-2006 04:16 AM
Thanks. I mailed the list to see if anyone seen similar just in case.

unSpawn 07-17-2006 03:29 PM
Got news from Nelson he can't find any probs with it.
So... what's goin on on your box... :-]
Any more details?

gilead 07-17-2006 07:01 PM
This is from the 2.6.17 summary at kernel.org:
Code:
description        2.6.17-stable kernel tree
owner        Greg Kroah-Hartman
last change        Sat, 15 Jul 2006 19:00:43 +0000
shortlog
2 days ago        Greg Kroah ...        Linux 2.6.17.6        commit | commitdiff
2 days ago        Linus Torvalds        [PATCH] Relax /proc fix a bit        commit | commitdiff
2 days ago        Greg Kroah ...        Linux 2.6.17.5        commit | commitdiff
2 days ago        Linus Torvalds        [PATCH] Fix nasty /proc vulnerability (CVE-2006-3626)        commit | commitdiff
11 days ago        Greg Kroah ...        Linux 2.6.17.4        commit | commitdiff
Maybe 2.6.17.6 will help since it "relaxes" the /proc permissions...

unSpawn 07-17-2006 07:40 PM
Well spotted. He's running .5 not .6...

jayjwa 07-25-2006 06:12 AM
That looks like what happened. I'll try with 2.6.17.6 or whatever latest is by the time I get to download it. Seems like a new version comes out almost daily.

Update:

Here's 2.6.17.7, installed last night:

Code:
Checking asp'... not infected
Checking bindshell'... not infected
Checking lkm'... chkproc: nothing detected
Checking eexedcs'... not found
Checking sniffer'... eth0: PF_PACKET(/usr/sbin/p0f)
Checking w55808'... not infected
Checking wted'... chkwtmp: nothing deleted
Checking scalper'... not infected
Checking slapper'... not infected
Checking z2'... chklastlog: nothing deleted
Checking chkutmp'... chkutmp: nothing deleted
Not a peep. Seems like it's only an issue with that one kernel version.

mazinoz 01-07-2007 12:02 AM
Has anyone used chkrootkit on Fedora Core 5's kernel version 2.6.18-1 as root, and had similar results to this ie: permission denied on /proc/.., or should I start worrying?:scratch:


All times are GMT -5. The time now is 04:57 AM.