LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-22-2003, 01:24 PM   #1
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
chkrootkit and lkm


When running chkrootkit I've gotten some output like this:

Checking `lkm'... You have 4 process hidden for readdir command
Warning: Possible LKM Trojan installed

It seems to happen randomly. Sometimes I get the 'nothing detected' and sometimes I get the above message.

Could this be a false positive?

<EDIT>
Okay after doing a little more troubleshooting it seems that I only get the warning when MozillaFirebird is running. I downloaded it straight from Mozilla.org so I doubt that it is infected.
</EDIT>

Last edited by Crashed_Again; 05-22-2003 at 01:30 PM.
 
Old 05-22-2003, 01:49 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Could be fast processes, like in dying before the check completes.
 
Old 06-08-2003, 03:17 PM   #3
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Original Poster
Rep: Reputation: 57
Okay it seems to be getting worse:

Checking `lkm'... You have 34 process hidden for readdir command
Warning: Possible LKM Trojan installed

I hate it when things say possible...is there anyway I can nail this down to determine what is going on here.
 
Old 06-08-2003, 08:54 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Ok, so what's the diff with a month ago? What do you have installed and running that wasn't running at the time?

If you where to run chkrootkit 3 times in a row, and you get aprox the same amount of LKM warnings, then there's three things you could do if you really want to find out.

- Check your system against your Aide/Samhain/tripwire database. Provided the db has not been tampered with and system calls to the checker binary aren't intercepted any file previously unaccounted for should show up. This doesn't get you the angle on the processes, but verifies (within some margin of error) if the system has been tampered with.
- Run cryogenic. If you trust me somehow, fetch the cryogenic-1.0-binary.i386.rpm, else Google for "Dave Dittrich" or "Introducing Cryogenic" and you'll find the source. Compile it static on another box. Cryogenic saves /proc info for (nearly) all processes, so then you got a copy of what's in /proc/$PID and you can verify the md5/sha1sum of the saved exe with the binary.
- Boot Biatchux/FIRE and fire off another integrity checking run. In the event an LKM is introduced in the system that allows for hiding processes and dirs, hiding won't work if the kernel ain't running.

*I'm quite sure the three checks I mentioned (except for integrity) won't return positives, and your system is sane and it's caused by fast processes dying.
Still it won't hurt to know and practice some routines...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
chkrootkit warning of lkm trojan provkitir Linux - Security 5 10-20-2004 06:17 AM
LKM rootkit help GodSendDeath Programming 1 05-01-2004 11:49 AM
LKM trojan? help! synaptical Linux - Security 3 03-07-2004 07:16 AM
lkm trojan nullpt Linux - Security 3 12-26-2003 06:42 PM
lkm trojan nullpt *BSD 3 12-25-2003 12:09 AM


All times are GMT -5. The time now is 07:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration