LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-01-2005, 06:03 PM   #1
Jukas
Member
 
Registered: Mar 2005
Posts: 141

Rep: Reputation: 15
Chkrootkit Alert. Am I actually compromised


I was reviewing my nightly notifications from my linux server this afternoon and I saw the following from chkrootkit

Quote:
/etc/cron.daily/chkrootkit:
You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
eth0: PACKET SNIFFER(/usr/sbin/snort[26839])
I ran chkrootkit again and it only shows snort. So I than ran -x lkm and got the following.

Quote:
nix:/sbin# chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v -p 2
###
CWD 3541: /var/lib/mysql
EXE 3541: /usr/sbin/mysqld
CWD 3542: /var/lib/mysql
EXE 3542: /usr/sbin/mysqld
CWD 3543: /var/lib/mysql
EXE 3543: /usr/sbin/mysqld
CWD 3544: /var/lib/mysql
EXE 3544: /usr/sbin/mysqld
CWD 3547: /var/lib/mysql
EXE 3547: /usr/sbin/mysqld
CWD 3548: /var/lib/mysql
EXE 3548: /usr/sbin/mysqld
CWD 3549: /var/lib/mysql
EXE 3549: /usr/sbin/mysqld
CWD 3550: /var/lib/mysql
EXE 3550: /usr/sbin/mysqld
CWD 3551: /var/lib/mysql
EXE 3551: /usr/sbin/mysqld
What's the likelyhood I've actually been compromised and this isn't a false positive? The server is still up and running and I haven't killed any processes. I'm wondering if I shoudn't scratch chkrootkit and install fresh from source and then scan it again?

My reading on google suggests that LKM Trojan can frequently be reported as a false positive so I don't want to jump the gun and do a complete format / reinstall if it's not necessary.

Any advice/suggestions are greatly appreciated!
 
Old 12-01-2005, 07:16 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
The lkm check is prone to false positives especially for threaded processes, whioh I wouldn't be surprised to see spawning from mysql. That being said, check the integrity of the mysqld binary; on rpm-based distros you can use rpm -V <package_name>. Otherwise you can compare it's md5 hash to a known good version.

Also, is snort supposed to be on this box?
 
Old 12-01-2005, 07:35 PM   #3
Jukas
Member
 
Registered: Mar 2005
Posts: 141

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by Capt_Caveman
The lkm check is prone to false positives especially for threaded processes, whioh I wouldn't be surprised to see spawning from mysql. That being said, check the integrity of the mysqld binary; on rpm-based distros you can use rpm -V <package_name>. Otherwise you can compare it's md5 hash to a known good version.

Also, is snort supposed to be on this box?
Yup. Snort is intentional. I'm running Debian and MySQL was originally installed via apt-get.

Here's what I see on my system.

Quote:
$ sudo mysql -V
mysql Ver 14.7 Distrib 4.1.11, for pc-linux-gnu (i386)
Quote:
$ md5sum -b /usr/sbin/mysqld
7d68a5b3adab3eb7cbed1add8ae37d37 */usr/sbin/mysqld
Apparently that version of Mysql is several revisons behind, although apt never found a newer version to upgrade to. I checked the mysql source archives at http://downloads.mysql.com/archives....l-4.1&v=4.1.11 and didn't find any package name or MD5 that matched. Is there someplace else I should be looking for a valid MD5 sum or am I SOL?
 
Old 12-01-2005, 07:44 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
The lkm check is prone to false positives especially for threaded processes
I'd like to rephrase that as "the way the LKM check is done *any* short-lived process can cause an FP".

One way to diminish chances of running alien binaries could be to use GRSecurity's "Trusted Path Execution". This means no binaries can be run except those in $PATH, provided PATH is set to a sane choice of dirs and those dirs and binaries can not be tainted (ownership, attributes, extended attributes, mount flags). If you're running a server as well check on mounting $TEMP dirs with noexec and/or nosuid mount flags where possible. Do run a check if this causes trouble for applications though.
 
Old 12-01-2005, 08:00 PM   #5
Jukas
Member
 
Registered: Mar 2005
Posts: 141

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by unSpawn
The lkm check is prone to false positives especially for threaded processes
I'd like to rephrase that as "the way the LKM check is done *any* short-lived process can cause an FP".

One way to diminish chances of running alien binaries could be to use GRSecurity's "Trusted Path Execution". This means no binaries can be run except those in $PATH, provided PATH is set to a sane choice of dirs and those dirs and binaries can not be tainted (ownership, attributes, extended attributes, mount flags). If you're running a server as well check on mounting $TEMP dirs with noexec and/or nosuid mount flags where possible. Do run a check if this causes trouble for applications though.
Thanks for the info UnSpawn. I already have my /tmp directory mounted as such

/dev/hda8 /tmp ext3 rw,noexec,nosuid


I'm still hoping I can find the correct MD5 to compare to.. I'd rather not have to do a complete re-install of the server
 
Old 12-03-2005, 04:15 PM   #6
GL1800
Member
 
Registered: Jun 2005
Location: Lilburn, Ga
Distribution: FC5
Posts: 175

Rep: Reputation: 30
Might be a good idea to get rkhunter. I always like to have at least two ways to look at these things.
 
Old 12-06-2005, 07:48 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Might be a good idea to get rkhunter.
Spreading your detection capabilities a way better idea would be to get Aide, Samhain or even tripwire running.
 
Old 03-18-2006, 01:37 AM   #8
mazinoz
Member
 
Registered: Mar 2003
Location: Mansfield Queensland Australia
Distribution: Linux Mint - Tara
Posts: 497

Rep: Reputation: 35
Quote:
Originally Posted by unSpawn
Might be a good idea to get rkhunter.
Spreading your detection capabilities a way better idea would be to get Aide, Samhain or even tripwire running.
I agree with unSpawn. The more detection tools the better, the more layers of security the better. Rootkithunter also looks for other system security vulnerabilities besides rootkits. Bastille and Aide as well as tripwire are very good tools.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
when I ./chkrootkit it says .... chemichael Fedora 2 08-18-2005 11:48 PM
chkrootkit-0.45 aaru_ali Mandriva 1 04-25-2005 02:21 AM
Compromised? I can't tell. Chuck23 Linux - Security 11 02-15-2005 07:33 AM
Am I compromised? dripter Linux - Security 5 01-27-2004 12:31 AM
ALERT!!! ALERT!!! I messed up the UNIX!!! Firew Linux - Software 1 11-05-2001 11:48 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration