Trojan or Virus?
This is a discussion on Trojan or Virus? within the Linux Security forums, part of the System Security and Security Related category; Hi, today I read in a book how to check for possible intrusions. I executed the following command to see ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-19-2004
|
|||
|
|||
Trojan or Virus?
Hi,
today I read in a book how to check for possible intrusions. I executed the following command to see whether or not some processes do not show up using ps: ls -d /proc/* |grep [0-9]|wc -l; ps ax|wc -l 99 100 How come that there exists this discrapancy and should I be worried about this? I mean there is one more process in the process list than in the ps list. If it was a trojan I guess it should be the oposite (hiding from ps). I also ran chkrootkit: Checking `bindshell'... INFECTED (PORTS: 600) Checking `lkm'... You have 40 process hidden for readdir command You have 40 process hidden for ps command Warning: Possible LKM Trojan installed Checking `rexedcs'... not found Checking `sniffer'... lo: not promisc and no packet sniffer sockets eth0: not promisc and no packet sniffer sockets vmnet8: not promisc and no packet sniffer sockets Now I'm not so worried about that, because I read, that this is a problem with the command chkrootkit. I'm running debian/testing kernel 2.6.5. 
|
|
07-19-2004
|
|||
|
|||
|
Re: Trojan or Virus?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Fritz Bayer wrote: > Hi, > > today I read in a book how to check for possible intrusions. I > executed the following command to see whether or not some processes do > not show up using ps: > > ls -d /proc/* |grep [0-9]|wc -l; ps ax|wc -l > 99 > 100 > > How come that there exists this discrapancy The discrepency exists because of the way you ran the check > and should I be worried about this? No. > I mean there is one more process in the process list than > in the ps list. Not really. You miscounted. > If it was a trojan I guess it should be the oposite (hiding from ps). Analyze it. First off, assume that there is a constant number of processes running in your system, excluding the processes you used in order to check the process count. Now, ls -d /proc/* |grep [0-9]|wc -l adds three processes to that constant (an "ls" process, a "grep" process, and a "wc" process). This pipeline reports N+3 processes OTOH, ps ax|wc -l adds two processes to the constant number of processes (a "ps" process and a "wc" process). Since this pipeline is run after the first pipeline completes, it doesnt count the first pipeline's processes. So, this pipeline reports N+2 processes. N+3 > N+2 but N !> N [snip] As for chkrootkit, this seems to be a spurious response because some processes (like Nautilus) hide a number of their child processes. The LKLM response has been discussed to death, and you can google for the relevant information. - -- Lew Pitcher IT Consultant, Enterprise Application Architecture, Enterprise Technology Solutions, TD Bank Financial Group (Opinions expressed are my own, not my employers') -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) iD8DBQFA+71IagVFX4UWr64RAtkvAJ4uThOgqs+46E1jA7MLrk 1SCK309wCeJvUd q5dMgb5nj22h5W09NjIZtVE= =13zv -----END PGP SIGNATURE-----
|
|
07-19-2004
|
|||
|
|||
|
Re: Trojan or Virus?
Lew Pitcher <Lew.Pitcher@td.com> wrote in message news:<m1PKc.11270$Gf7.268815@news20.bellglobal.com >...
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Fritz Bayer wrote: > > > Hi, > > > > today I read in a book how to check for possible intrusions. I > > executed the following command to see whether or not some processes do > > not show up using ps: > > > > ls -d /proc/* |grep [0-9]|wc -l; ps ax|wc -l > > 99 > > 100 > > > > How come that there exists this discrapancy > > The discrepency exists because of the way you ran the check > > > and should I be worried about this? > > No. > > > I mean there is one more process in the process list than > > in the ps list. > > Not really. You miscounted. > Are you sure - I typed this down from an oreilly book and on another remote system the two numbers always turn out to be equal! > > If it was a trojan I guess it should be the oposite (hiding from ps). > > Analyze it. > > First off, assume that there is a constant number of processes running in your > system, excluding the processes you used in order to check the process count. > > Now, > ls -d /proc/* |grep [0-9]|wc -l > adds three processes to that constant (an "ls" process, a "grep" process, and a > "wc" process). This pipeline reports N+3 processes > > OTOH, > ps ax|wc -l > adds two processes to the constant number of processes (a "ps" process and a > "wc" process). Since this pipeline is run after the first pipeline completes, it > doesnt count the first pipeline's processes. So, this pipeline reports N+2 > processes. > > N+3 > N+2 > > but > N !> N > > [snip] > As for chkrootkit, this seems to be a spurious response because some processes > (like Nautilus) hide a number of their child processes. The LKLM response has > been discussed to death, and you can google for the relevant information. > > - -- > Lew Pitcher > IT Consultant, Enterprise Application Architecture, > Enterprise Technology Solutions, TD Bank Financial Group > > (Opinions expressed are my own, not my employers') > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (MingW32) > > iD8DBQFA+71IagVFX4UWr64RAtkvAJ4uThOgqs+46E1jA7MLrk 1SCK309wCeJvUd > q5dMgb5nj22h5W09NjIZtVE= > =13zv > -----END PGP SIGNATURE-----
|
|
07-20-2004
|
|||
|
|||
|
Re: Trojan or Virus?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Fritz Bayer wrote: > Lew Pitcher <Lew.Pitcher@td.com> wrote in message news:<m1PKc.11270$Gf7.268815@news20.bellglobal.com >... > > Fritz Bayer wrote: [snip] >> Are you sure - I typed this down from an oreilly book and on another >> remote system the two numbers always turn out to be equal! Results from an uninfected system: ~ $ ls -d /proc/* |grep [0-9]|wc -l; ps ax|wc -l 57 56 ~ $ [snip] - -- Lew Pitcher Master Codewright & JOAT-in-training | GPG public key available on request Registered Linux User #112576 (http://counter.li.org/) Slackware - Because I know what I'm doing. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA/FCHagVFX4UWr64RAv5VAKDn2O8bNp5TRDog2XQ7AdCm17Ly8wC eKnAO zCoVPwfrVKMlevAd/io8b6c= =yN/l -----END PGP SIGNATURE-----
|
|
07-20-2004
|
|||
|
|||
|
Re: Trojan or Virus?
"Fritz Bayer" <fritz-bayer@web.de> wrote in message
news:a9c0aa9e.0407190306.3da9f131@posting.google.c om > ls -d /proc/* |grep [0-9]|wc -l; ps ax|wc -l > 99 > 100 > > How come that there exists this discrapancy and should I be worried > about this? If you simply run the "ps ax" command, you'll notice the column header line: PID TTY STAT TIME COMMAND tony -- use hotmail for email replies
|
|
07-20-2004
|
|||
|
|||
|
Re: Trojan or Virus?
On 2004-07-19, Lew Pitcher <lpitcher@sympatico.ca> wrote:
>>> Are you sure - I typed this down from an oreilly book and on another >>> remote system the two numbers always turn out to be equal! > Results from an uninfected system: > ~ $ ls -d /proc/* |grep [0-9]|wc -l; ps ax|wc -l > 57 > 56 curty@einstein:~$ ls -d /proc/* |grep [0-9]|wc -l; ps ax|wc -l 47 47 curty@einstein:~$ ps ax | grep grep curty@einstein:~$ Race condition?
|
Linear Mode
