chkrootkit 0.44 possible LKM trojan

Hello.

My backup server is a RH9.0 intel machine with all the updates. Chkrootkit
0.43 reports everything is OK but I just ran version 0.44 and got a bit of
a surprise:

[root@spare chkrootkit-0.44]# ./chkrootkit lkm
ROOTDIR is `/'
Checking `lkm'... You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
[root@spare chkrootkit-0.44]# ./chkproc -v
PID 1250: not in ps output
PID 1251: not in ps output
PID 1252: not in ps output
PID 1253: not in ps output
You have 4 process hidden for ps command

I've checked that ps and libproc.so are unchanged from the original rpm
install.

I'm not sure whether this is a false alarm or not? I've unplugged it from
the network and would appreciate any ideas on how to verify if I have a
real problem or not...

(I'd like to avoid the reformat/reinstall from scratch option if possible).

Thanks,

Graham

Graham Vincent wrote:
> Hello.
>
> My backup server is a RH9.0 intel machine with all the updates. Chkrootkit
> 0.43 reports everything is OK but I just ran version 0.44 and got a bit of
> a surprise:
>
> [root@spare chkrootkit-0.44]# ./chkrootkit lkm
> ROOTDIR is `/'
> Checking `lkm'... You have 4 process hidden for ps command
> Warning: Possible LKM Trojan installed
> [root@spare chkrootkit-0.44]# ./chkproc -v
> PID 1250: not in ps output
> PID 1251: not in ps output
> PID 1252: not in ps output
> PID 1253: not in ps output
> You have 4 process hidden for ps command
>
> I've checked that ps and libproc.so are unchanged from the original rpm
> install.
>
> I'm not sure whether this is a false alarm or not? I've unplugged it from
> the network and would appreciate any ideas on how to verify if I have a
> real problem or not...
>
> (I'd like to avoid the reformat/reinstall from scratch option if possible).
>
> Thanks,
>
> Graham
>

This happened to me with older versions of chkrootkit, but with
chkrootkit 0.43 it doesn't happen anymore. It used to be a bug
in chkrootkit, but check your system thoroughly anyway.


--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

On Tue, 07 Sep 2004 11:24:24 +1200, Graham Vincent wrote:

> Hello.
>
> My backup server is a RH9.0 intel machine with all the updates. Chkrootkit
> 0.43 reports everything is OK but I just ran version 0.44 and got a bit of
> a surprise:
>
> [root@spare chkrootkit-0.44]# ./chkrootkit lkm
> ROOTDIR is `/'
> Checking `lkm'... You have 4 process hidden for ps command
> Warning: Possible LKM Trojan installed
> [root@spare chkrootkit-0.44]# ./chkproc -v
> PID 1250: not in ps output
> PID 1251: not in ps output
> PID 1252: not in ps output
> PID 1253: not in ps output
> You have 4 process hidden for ps command
>
> I've checked that ps and libproc.so are unchanged from the original rpm
> install.
>
> I'm not sure whether this is a false alarm or not? I've unplugged it from
> the network and would appreciate any ideas on how to verify if I have a
> real problem or not...
>
> (I'd like to avoid the reformat/reinstall from scratch option if possible).
>
> Thanks,
>
> Graham

Happens a lot (google will show you this) with chkrootkit. E.g. if you use
clamav as virus scanner but other progs are known to give this result as
well. Check out rkhunter!

Jos

On Tue, 07 Sep 2004 06:33:24 +0200, Jos wrote:

> On Tue, 07 Sep 2004 11:24:24 +1200, Graham Vincent wrote:
>
>> Hello.
>>
>> My backup server is a RH9.0 intel machine with all the updates. Chkrootkit
>> 0.43 reports everything is OK but I just ran version 0.44 and got a bit of
>> a surprise:
>>
>> [root@spare chkrootkit-0.44]# ./chkrootkit lkm
>> ROOTDIR is `/'
>> Checking `lkm'... You have 4 process hidden for ps command
>> Warning: Possible LKM Trojan installed
>> [root@spare chkrootkit-0.44]# ./chkproc -v
>> PID 1250: not in ps output
>> PID 1251: not in ps output
>> PID 1252: not in ps output
>> PID 1253: not in ps output
>> You have 4 process hidden for ps command
>>
>> I've checked that ps and libproc.so are unchanged from the original rpm
>> install.
>>
>> I'm not sure whether this is a false alarm or not? I've unplugged it from
>> the network and would appreciate any ideas on how to verify if I have a
>> real problem or not...
>>
>> (I'd like to avoid the reformat/reinstall from scratch option if possible).
>>
>> Thanks,
>>
>> Graham
>
> Happens a lot (google will show you this) with chkrootkit. E.g. if you use
> clamav as virus scanner but other progs are known to give this result as
> well. Check out rkhunter!
>
> Jos

Use chkproc -v -v to get the offending processes.

Jos

On Tue, 07 Sep 2004 06:37:51 +0200, Jos wrote:

> On Tue, 07 Sep 2004 06:33:24 +0200, Jos wrote:
>
>> On Tue, 07 Sep 2004 11:24:24 +1200, Graham Vincent wrote:
>>
>>> Hello.
>>>
>>> My backup server is a RH9.0 intel machine with all the updates. Chkrootkit
>>> 0.43 reports everything is OK but I just ran version 0.44 and got a bit of
>>> a surprise:
>>>
>>> [root@spare chkrootkit-0.44]# ./chkrootkit lkm
>>> ROOTDIR is `/'
>>> Checking `lkm'... You have 4 process hidden for ps command
>>> Warning: Possible LKM Trojan installed
>>> [root@spare chkrootkit-0.44]# ./chkproc -v
>>> PID 1250: not in ps output
>>> PID 1251: not in ps output
>>> PID 1252: not in ps output
>>> PID 1253: not in ps output
>>> You have 4 process hidden for ps command
>>>
>>> I've checked that ps and libproc.so are unchanged from the original rpm
>>> install.
>>>
>>> I'm not sure whether this is a false alarm or not? I've unplugged it from
>>> the network and would appreciate any ideas on how to verify if I have a
>>> real problem or not...
>>>
>>> (I'd like to avoid the reformat/reinstall from scratch option if possible).
>>>
>>> Thanks,
>>>
>>> Graham
>>
>> Happens a lot (google will show you this) with chkrootkit. E.g. if you use
>> clamav as virus scanner but other progs are known to give this result as
>> well. Check out rkhunter!
>>
>> Jos
>
> Use chkproc -v -v to get the offending processes.
>
> Jos

Interesting! Thanks for the second -v.

named is the culprit for the 4 original hidden processes. I ran chkproc -v
-v while I had pan open and that generated a further 6 hidden processes.
It's looking more like a chkrootkit problem rather than a security breach :-)

Graham

In article <pan.2004.09.06.22.54.50.444291@spamtrap.invalid.n z>,
Graham Vincent wrote:
> My backup server is a RH9.0 intel machine with all the updates. Chkrootkit
> 0.43 reports everything is OK but I just ran version 0.44 and got a bit of
> a surprise:

As others have pointed out, it shouldn't be.

'chkrootkit' is a tool that looks for symptoms and signs seen during
previous exploits. It is not (and probably can't be) foolproof.

If you use it, and the results are negative, it doesn't mean your
system is "clean". It only means that the exploits it's looking for
may not be present.

If you use it, and the results are positive, you need to read exactly
what the tool was looking for, and then research what it's finding.
Sometimes, it means you are r00ted - sometimes it's made a mistake.

The tool is only looking at certain things, and is only part of the job
of keeping your system clean. Depending on your threat model (what you
feel you might need to defend against), you might need to be doing a lot
more, up to and possibly including monitoring disk and memory content
from an external system. Depends on how paranoid you want to be.

> (I'd like to avoid the reformat/reinstall from scratch option if possible).

That remains the only safe option, but this doesn't mean it's time to do so.

RH9 is unsupported by Red Hat now, though there _MAY_ be some errata
available from download.fedoralegacy.org. At the very least you want to
_scan_ the Bugtraq mailing list. A number of news servers carry a mirror
of this list - look for mailing.unix.bugtraq or muc.lists.bugtraq on your
news server.

Old guy

> PID 1250: not in ps output
> PID 1251: not in ps output
> PID 1252: not in ps output
> PID 1253: not in ps output

Leaving my feelings for chkrootkit aside,
For future reference you could cd /proc/1250/ && cat cmdline
And get an idea of at least what the program says it is.

sin