I recently saw the following in a chkrootkit report:
Feb 7th - Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed
Checking earlier reports I see:
Jan 19th - Checking `lkm'... nothing detected Jan 21st - Checking `lkm'... nothing detected Jan 23rd - Checking `lkm'... nothing detected Jan 25th - Checking `lkm'... nothing detected Jan 29th - Checking `lkm'... nothing detected Jan 31st - Checking `lkm'... nothing detected Feb 1st - Checking `lkm'... nothing detected
Feb 3rd - Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed
Feb 5th - Checking `lkm'... nothing detected
So although the first warning appears on Feb 3rd it does not show on Feb 5th but re-appears on Feb 7th. Because of that I'm assuming (hoping?) it may be a false alarm. Well it does say 'Possible'!
I have only a standard dial-up connection and have PMFirewall installed and running when I'm connected to the internet. I run chkrootkit every other day.
What do you think chaps? (Chaps is a generic term which includes chapesses).
Barry Samuels
on Thu, Feb 07, 2002 at 10:27:20AM +0000, bsamuels@beenthere-donethat.org.uk wrote:
I recently saw the following in a chkrootkit report:
Feb 7th - Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed
Basically it's saying something showed up in /proc, but didn't show up in the output from ps. This doesn't only happen when there is a trojan (it would be a trojaned ps command in this case, imho).
For example: Process A starts. chkproc starts (the part of chkrootkit that checks ps against /proc) chkproc runs ps and saves part of the output into an array the output. Process A terminates Process B starts. chkproc checks "cached" ps output array against /proc, but finds process only B in /proc but doesn't find B in the output from ps, it doesn't find process A in /proc at all, although it was in the cached output from ps.
This is because B started after ps was executed, and A terminated after ps was executed but before /proc was examined (or before chkproc got around to examining /proc/pidof-A). This is an ugly race condition in chkproc.
That isn't necessarily what happened, but it's a possibility. Do any cronjobs and so on start executing around the same time that chkrootkit was running? Or maybe someone was using the computer then?
The only real way to be fairly sure you haven't been trojaned is to boot the computer from a floppy and compare the md5 checksum you have stored somewhere safe (you do have that, right? ;) of all the stuff install, in particular: /bin/ps /lib/libproc* /lib/libc* and /lib/ld*
Checking earlier reports I see:
Jan 19th - Checking `lkm'... nothing detected
...
Feb 1st - Checking `lkm'... nothing detected
Feb 3rd - Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed
Feb 5th - Checking `lkm'... nothing detected
So although the first warning appears on Feb 3rd it does not show on Feb 5th but re-appears on Feb 7th. Because of that I'm assuming (hoping?) it may be a false alarm. Well it does say 'Possible'!
Well, as it seems to happen sometimes and not others in a fairly nonpredictable way, to me, it really does stink of a race condition. :)
I have only a standard dial-up connection and have PMFirewall installed and running when I'm connected to the internet. I run chkrootkit every other day.
chkrootkit should really be run from a boot floppy or read only media. (on a production system though, this probably isn't acceptable so..) You may also want to run snort (http://www.snort.org) There are some tricks to do in /etc/ppp/ip-up to make it happy with a dynamic ip address, pasting them would probably be wasting too many people's bandwidth though.
Thanks for your suggestions.
Since sending that last email I ran chkrootkit 2-3 times over a period and it produced the lkm warning each time.
I though that I would try re-booting 'just in case' and since the re-boot chkrootkit has not displayed the lkm warning at all.
Is that indicative of anything?
Barry Samuels
xsprite@bigfoot.com wrote:
on Thu, Feb 07, 2002 at 10:27:20AM +0000, bsamuels@beenthere-donethat.org.uk wrote:
I recently saw the following in a chkrootkit report:
Feb 7th - Checking `lkm'... You have 1 process hidden for
readdir command
You have 1 process hidden for ps command Warning: Possible LKM Trojan installed
Basically it's saying something showed up in /proc, but didn't show up in the output from ps. This doesn't only happen when there is a trojan (it would be a trojaned ps command in this case, imho).
For example: Process A starts. chkproc starts (the part of chkrootkit that checks ps against /proc) chkproc runs ps and saves part of the output into an array the output. Process A terminates Process B starts. chkproc checks "cached" ps output array against /proc, but finds process only B in /proc but doesn't find B in the output from ps, it doesn't find process A in /proc at all, although it was in the cached output from ps.
This is because B started after ps was executed, and A terminated after ps was executed but before /proc was examined (or before chkproc got around to examining /proc/pidof-A). This is an ugly race condition in chkproc.
That isn't necessarily what happened, but it's a possibility. Do any cronjobs and so on start executing around the same time that chkrootkit was running? Or maybe someone was using the computer then?
The only real way to be fairly sure you haven't been trojaned is to boot the computer from a floppy and compare the md5 checksum you have stored somewhere safe (you do have that, right? ;) of all the stuff install, in particular: /bin/ps /lib/libproc* /lib/libc* and /lib/ld*
Checking earlier reports I see:
Jan 19th - Checking `lkm'... nothing detected
...
Feb 1st - Checking `lkm'... nothing detected
Feb 3rd - Checking `lkm'... You have 1 process hidden for
readdir command
You have 1 process hidden for ps command Warning: Possible LKM Trojan installed
Feb 5th - Checking `lkm'... nothing detected
So although the first warning appears on Feb 3rd it does not show
on Feb 5th
but re-appears on Feb 7th. Because of that I'm assuming (hoping?)
it may be a
false alarm. Well it does say 'Possible'!
Well, as it seems to happen sometimes and not others in a fairly nonpredictable way, to me, it really does stink of a race condition. :)
I have only a standard dial-up connection and have PMFirewall
installed and
running when I'm connected to the internet. I run chkrootkit every
other day.
chkrootkit should really be run from a boot floppy or read only media. (on a production system though, this probably isn't acceptable so..) You may also want to run snort (http://www.snort.org) There are some tricks to do in /etc/ppp/ip-up to make it happy with a dynamic ip address, pasting them would probably be wasting too many people's bandwidth though.
on Thu, Feb 07, 2002 at 05:59:07PM +0000, bsamuels@beenthere-donethat.org.uk wrote:
Thanks for your suggestions.
Since sending that last email I ran chkrootkit 2-3 times over a period and it produced the lkm warning each time.
I though that I would try re-booting 'just in case' and since the re-boot chkrootkit has not displayed the lkm warning at all.
Is that indicative of anything?
Hmm, maybe there was an lkm, but any self respecting lkm will reload itself upon reboot, and it appears it did not. Have you checked /etc/rc*? Was there anything running in the background when you did a chkrootkit? Especially something that executes more programs quite regularly.
I don't think anything has been trojanned, but I'm not sure why chkrootkit keeps giving false positives. I guess it could be flaky software/hardware somewhere, or a race condition or something.
If you have been trojanned, and it's not a run of the mill thing, someone has taken more time to write it and keep it secret. This is improbable, because:
1) You are a dialup user. They are not interested in your bandwidth 2) You are security concious. This increases the level of detection, if they've spent time and effort to keep their hiding mechanism to themselves, this is an influence, because you might just come across it, or suddenly decide to unplug your box and run tct over it. 3) Afaik, the machine isn't a production or "critical" (in the business sense of the word) machine, so you can afford to take it down if necessary. 4) It is probably a personal machine. Small amounts of personal information, generally aren't of any value to your average cracker. It might be for some social engineering or getting passwords to more powerful places, but it's unlikely. There might be credit cards, but why bother with a single users machine when there's an open NFS mount on some porn site with 200k different numbers?
These are probably worth a read: http://www.cert.org/tech_tips/intruder_detection_checklist.html http://www.cert.org/tech_tips/unix_security_checklist2.0.html