LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software > Linux - Kernel
User Name
Password
Linux - Kernel This forum is for all discussion relating to the Linux kernel.

Notices



Reply
 
Search this Thread
Old 07-16-2006, 10:14 AM   #1
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Rep: Reputation: 36
/proc after 2.6.17.5


Umm...looks like they tightened up security a bit in /proc in 2.6.17.5 after the root race local exploit issue in <= 2.6.17.4 (this was actually 4 screens long, results of running "chkrootkit". As root.)

Code:
...

/proc/3/fd/.: Permission denied
/proc/3/fd/..: Permission denied
/proc/4/fd/.: Permission denied
/proc/4/fd/..: Permission denied
/proc/5/fd/.: Permission denied
/proc/5/fd/..: Permission denied
/proc/6/fd/.: Permission denied
/proc/6/fd/..: Permission denied
/proc/8/fd/.: Permission denied
/proc/8/fd/..: Permission denied
/proc/11/fd/.: Permission denied
/proc/11/fd/..: Permission denied
/proc/13/fd/.: Permission denied
/proc/13/fd/..: Permission denied
/proc/68/fd/.: Permission denied
/proc/68/fd/..: Permission denied
/proc/69/fd/.: Permission denied
/proc/69/fd/..: Permission denied
/proc/70/fd/.: Permission denied
/proc/70/fd/..: Permission denied
/proc/718/fd/.: Permission denied
/proc/718/fd/..: Permission denied
/proc/911/fd/.: Permission denied
/proc/911/fd/..: Permission denied
/proc/911/fd/0: Permission denied
/proc/911/fd/1: Permission denied
/proc/911/fd/2: Permission denied
/proc/911/fd/3: Permission denied
/proc/911/fd/4: Permission denied
/proc/915/fd/.: Permission denied
/proc/915/fd/..: Permission denied
/proc/915/fd/0: Permission denied
/proc/915/fd/1: Permission denied
/proc/915/fd/2: Permission denied
/proc/915/fd/3: Permission denied
/proc/915/fd/4: Permission denied
/proc/915/fd/5: Permission denied
/proc/915/fd/6: Permission denied
/proc/915/fd/7: Permission denied
/proc/915/fd/8: Permission denied
/proc/915/fd/9: Permission denied
/proc/915/fd/10: Permission denied
/proc/915/fd/11: Permission denied
/proc/924/fd/.: Permission denied
/proc/924/fd/..: Permission denied
/proc/924/fd/0: Permission denied
/proc/924/fd/1: Permission denied
/proc/924/fd/2: Permission denied
/proc/924/fd/3: Permission denied
/proc/926/fd/.: Permission denied
/proc/926/fd/..: Permission denied
/proc/926/fd/0: Permission denied
/proc/926/fd/1: Permission denied
/proc/926/fd/2: Permission denied
/proc/926/fd/3: Permission denied
/proc/926/fd/4: Permission denied
/proc/935/fd/.: Permission denied
/proc/935/fd/..: Permission denied
/proc/935/fd/0: Permission denied
/proc/935/fd/1: Permission denied
/proc/935/fd/2: Permission denied
/proc/935/fd/3: Permission denied
/proc/935/fd/4: Permission denied
/proc/949/fd/.: Permission denied
/proc/949/fd/..: Permission denied
/proc/949/fd/0: Permission denied
/proc/949/fd/1: Permission denied
/proc/949/fd/2: Permission denied
/proc/949/fd/3: Permission denied
/proc/949/fd/4: Permission denied
/proc/949/fd/6: Permission denied
/proc/1019/fd/.: Permission denied
/proc/1019/fd/..: Permission denied
/proc/1019/fd/0: Permission denied
/proc/1019/fd/1: Permission denied
/proc/1019/fd/2: Permission denied

...
other results:

Checking LKM... You have 15 process hidden for readdir command
You have 18 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed


I can see the forum subject lines now: "procs hidden, am I hacked? plz help!"

I have a feeling this will break stuff...
 
Old 07-16-2006, 10:24 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,743
Blog Entries: 54

Rep: Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972
Please post to the chkrootkit mailinglist chkproc is b0rken.
 
Old 07-16-2006, 09:52 PM   #3
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Original Poster
Rep: Reputation: 36
I sent a mail to Nelson (author) and a link to here, because I'm not subscribed to the mailing list. It should have the same effect though.
 
Old 07-17-2006, 05:16 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,743
Blog Entries: 54

Rep: Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972
Thanks. I mailed the list to see if anyone seen similar just in case.
 
Old 07-17-2006, 04:29 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,743
Blog Entries: 54

Rep: Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972
Got news from Nelson he can't find any probs with it.
So... what's goin on on your box... :-]
Any more details?
 
Old 07-17-2006, 08:01 PM   #6
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162
This is from the 2.6.17 summary at kernel.org:
Code:
description	2.6.17-stable kernel tree
owner	Greg Kroah-Hartman
last change	Sat, 15 Jul 2006 19:00:43 +0000
shortlog
2 days ago 	Greg Kroah ... 	Linux 2.6.17.6 	commit | commitdiff
2 days ago 	Linus Torvalds 	[PATCH] Relax /proc fix a bit 	commit | commitdiff
2 days ago 	Greg Kroah ... 	Linux 2.6.17.5 	commit | commitdiff
2 days ago 	Linus Torvalds 	[PATCH] Fix nasty /proc vulnerability (CVE-2006-3626) 	commit | commitdiff
11 days ago 	Greg Kroah ... 	Linux 2.6.17.4 	commit | commitdiff
Maybe 2.6.17.6 will help since it "relaxes" the /proc permissions...
 
Old 07-17-2006, 08:40 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,743
Blog Entries: 54

Rep: Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972
Well spotted. He's running .5 not .6...
 
Old 07-25-2006, 07:12 AM   #8
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: None (src & compile)
Posts: 253

Original Poster
Rep: Reputation: 36
That looks like what happened. I'll try with 2.6.17.6 or whatever latest is by the time I get to download it. Seems like a new version comes out almost daily.

Update:

Here's 2.6.17.7, installed last night:

Code:
Checking asp'... not infected
Checking bindshell'... not infected
Checking lkm'... chkproc: nothing detected
Checking eexedcs'... not found
Checking sniffer'... eth0: PF_PACKET(/usr/sbin/p0f)
Checking w55808'... not infected
Checking wted'... chkwtmp: nothing deleted
Checking scalper'... not infected
Checking slapper'... not infected
Checking z2'... chklastlog: nothing deleted
Checking chkutmp'... chkutmp: nothing deleted
Not a peep. Seems like it's only an issue with that one kernel version.

Last edited by jayjwa; 07-26-2006 at 09:12 AM.
 
Old 01-07-2007, 01:02 AM   #9
mazinoz
Member
 
Registered: Mar 2003
Location: Mansfield Queensland Australia
Distribution: Debian Squeeze. Various live CD's Win7
Posts: 359

Rep: Reputation: 32
Has anyone used chkrootkit on Fedora Core 5's kernel version 2.6.18-1 as root, and had similar results to this ie: permission denied on /proc/.., or should I start worrying?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
hidden directories under proc... what are they for? : (/proc/.23142) syssyphus Linux - General 1 04-10-2006 04:23 PM
how to know contents of /proc/ide/hda/smart_values and /proc/ide/hda/smart_threshold Prassanta Suse/Novell 0 02-23-2006 05:21 AM
Correlation between /proc/devices and /proc/modules ColinLadyka Linux - General 1 02-13-2006 06:25 PM
What /proc proc file do I need? GoboFraggle Programming 1 02-05-2003 12:52 AM
/proc ?? sapilas Linux From Scratch 9 05-18-2002 05:37 PM


All times are GMT -5. The time now is 11:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration