LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-08-2004, 09:14 AM   #1
Mr. Gone
LQ Newbie
 
Registered: Mar 2004
Posts: 29

Rep: Reputation: 15
'Chkrootkit 0.43' false positive?


Yesterday I installed version 0.43 of 'chkrootkit', and when I run it for the first time I got this output:

Checking `lkm'...
You have 1 process hidden for readdir comman
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed

However, all subsequent runs of 'chkrootkit' -done immediately after and from then on at several intervals- didn't show that warning anymore. I also compiled another instance of the program in other directory and it didn't find anything ("Checking `lkm'... nothing detected").

After that, I verified some system binaries ('ps', 'ls' and many others) with rpm -V and the output showed that they hadn't changed (at least according to 'rpm').

Then I compared the file 'System.map' with the kernel syscall table by means of the program 'kern_check', and no inconsistencies were found.

Googling around I also found references stating that LKM detection on 'chkrootkit 0.43' is sometimes prone to false positives, and even the FAQ of the program indicates that some processes could report false detections in some cases.

In view of all this, can I assume that this has been a false positive, or is there room for suspicion?

Many thanks in advance.
 
Old 03-08-2004, 02:20 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,671
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
In view of all this, can I assume that this has been a false positive, or is there room for suspicion?
There's always room for suspicion, depends on how far you wanna go :-]
Basically, yes, you could regard it as a false positive, the Chkrootkit FAQ says it all, like you already found. Best advice I can give is to save a copy of the rpm database to readonly media after installing the OS for usage just like this. Besides that rpm doesn't track other type of installs, so use a filesystem integrity checker after installing the OS and save a copy of the binary and databases to readonly media. If you are really really suspicious about a certain situation, power off the box and use something like Knoppix, FIRE or PSK. Then almost nothing can get in the way of you achieving near perfect results. *If you would argue it's bad to power down a production server, ask yourself what will cost you (or the company) the most in the end: a compromised server caught early or mopping up a year after, loosing customer confidence etc etc.
 
Old 03-09-2004, 10:16 AM   #3
Mr. Gone
LQ Newbie
 
Registered: Mar 2004
Posts: 29

Original Poster
Rep: Reputation: 15
Thanks for the help, unSpawn.

I think I'm not going to reinstall this time, as it seems like a false positive. All subsequents runs of 'chkrootkit' done since then didn't find anything related to LKM, and all the other checks I did (rpm -V, 'kern_check', etc) did not show anything abnormal. As for file integrity verification, I use 'mtree' and it didn't find any prove of files alteration either. I also have Knoppix, though I haven't used it yet.

Thanks again for your kind advice.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
core 4 (any positive??) Atrocity Fedora 5 07-08-2005 12:31 PM
Snort: Block False Positive from Dlink Wireless Router omICron Linux - Security 1 01-01-2005 02:41 AM
chkrootkit false alarm? Mogh Linux - Security 3 09-07-2004 04:15 PM
Chkrootkit False Positives Sabicas Linux - Software 0 08-03-2004 01:42 AM
'Chkrootkit 0.43' false positive? Mr. Gone Linux - Security 0 03-08-2004 09:06 AM


All times are GMT -5. The time now is 05:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration