on Thu, Feb 07, 2002 at 10:27:20AM +0000, bsamuels@beenthere-donethat.org.uk wrote:
I recently saw the following in a chkrootkit report:
Feb 7th - Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed
Basically it's saying something showed up in /proc, but didn't show up in the output from ps. This doesn't only happen when there is a trojan (it would be a trojaned ps command in this case, imho).
For example: Process A starts. chkproc starts (the part of chkrootkit that checks ps against /proc) chkproc runs ps and saves part of the output into an array the output. Process A terminates Process B starts. chkproc checks "cached" ps output array against /proc, but finds process only B in /proc but doesn't find B in the output from ps, it doesn't find process A in /proc at all, although it was in the cached output from ps.
This is because B started after ps was executed, and A terminated after ps was executed but before /proc was examined (or before chkproc got around to examining /proc/pidof-A). This is an ugly race condition in chkproc.
That isn't necessarily what happened, but it's a possibility. Do any cronjobs and so on start executing around the same time that chkrootkit was running? Or maybe someone was using the computer then?
The only real way to be fairly sure you haven't been trojaned is to boot the computer from a floppy and compare the md5 checksum you have stored somewhere safe (you do have that, right? ;) of all the stuff install, in particular: /bin/ps /lib/libproc* /lib/libc* and /lib/ld*
Checking earlier reports I see:
Jan 19th - Checking `lkm'... nothing detected
...
Feb 1st - Checking `lkm'... nothing detected
Feb 3rd - Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed
Feb 5th - Checking `lkm'... nothing detected
So although the first warning appears on Feb 3rd it does not show on Feb 5th but re-appears on Feb 7th. Because of that I'm assuming (hoping?) it may be a false alarm. Well it does say 'Possible'!
Well, as it seems to happen sometimes and not others in a fairly nonpredictable way, to me, it really does stink of a race condition. :)
I have only a standard dial-up connection and have PMFirewall installed and running when I'm connected to the internet. I run chkrootkit every other day.
chkrootkit should really be run from a boot floppy or read only media. (on a production system though, this probably isn't acceptable so..) You may also want to run snort (http://www.snort.org) There are some tricks to do in /etc/ppp/ip-up to make it happy with a dynamic ip address, pasting them would probably be wasting too many people's bandwidth though.