Message in chkrootkit.

Using Mandrake 10.1 on ADSL with GuardDog. I KNOW that I am open to
hackers, at least. With my computer switched off, I could see the incoming
data light up my ADSL modem. I am looking for a way to reformat everything
yet keep essential data. In the meantime, I am keeping off the Net except
for a few seconds. At least my Windows firewall allows access on a per
program basis.

But I am here to ask about what chkrootkit shows:

Checking `sniffer'... /proc/5728/fd: No such file or directory

That is the only result that isn't "not infected" or "nothing found". Doing
an ls on /proc/5728, I get:

ls: cannot read symbolic link cwd: No such file or directory
ls: cannot read symbolic link root: No such file or directory
ls: cannot read symbolic link exe: No such file or directory
attr/ cmdline environ fd/ mem root@ statm task/
auxv cwd@ exe@ maps mounts stat status wchan

Never really having looked at /proc before, I don't know if the broken links
are significant, but they are all suspicious.

TIA,

Doug.
--
ICQ Number 178748389. Registered Linux User No. 277548.
Friends are quiet angels who lift us to our feet when our wings have trouble
remembering how to fly.
- Anonymous.

On Fri, 08 Jul 2005 12:36:40 +1000, Doug Laidlaw wrote:
>
> But I am here to ask about what chkrootkit shows:
>
> Checking `sniffer'... /proc/5728/fd: No such file or directory

does not happen on my systems.

On Fri, 08 Jul 2005 12:36:40 +1000, Doug Laidlaw
<laidlaws@myaccess.com.au> wrote:
> Using Mandrake 10.1 on ADSL with GuardDog. I KNOW that I am open to
> hackers, at least. With my computer switched off, I could see the incoming
> data light up my ADSL modem. I am looking for a way to reformat everything
> yet keep essential data. In the meantime, I am keeping off the Net except
> for a few seconds. At least my Windows firewall allows access on a per
> program basis.
>
> But I am here to ask about what chkrootkit shows:
>
> Checking `sniffer'... /proc/5728/fd: No such file or directory
>
> That is the only result that isn't "not infected" or "nothing found". Doing
> an ls on /proc/5728, I get:
>
> ls: cannot read symbolic link cwd: No such file or directory
> ls: cannot read symbolic link root: No such file or directory
> ls: cannot read symbolic link exe: No such file or directory
> attr/ cmdline environ fd/ mem root@ statm task/
> auxv cwd@ exe@ maps mounts stat status wchan
>
> Never really having looked at /proc before, I don't know if the broken links
> are significant, but they are all suspicious.
>
You didn't do ls -l to see the names of those nonexistent links?


--
Tonight you will pay the wages of sin; Don't forget to leave a tip.

Bill Marcum wrote:

> On Fri, 08 Jul 2005 12:36:40 +1000, Doug Laidlaw
> <laidlaws@myaccess.com.au> wrote:
>> Using Mandrake 10.1 on ADSL with GuardDog. I KNOW that I am open to
>> hackers, at least. With my computer switched off, I could see the
>> incoming
>> data light up my ADSL modem. I am looking for a way to reformat
>> everything
>> yet keep essential data. In the meantime, I am keeping off the Net
>> except
>> for a few seconds. At least my Windows firewall allows access on a per
>> program basis.
>>
>> But I am here to ask about what chkrootkit shows:
>>
>> Checking `sniffer'... /proc/5728/fd: No such file or directory
>>
>> That is the only result that isn't "not infected" or "nothing found".
>> Doing an ls on /proc/5728, I get:
>>
>> ls: cannot read symbolic link cwd: No such file or directory
>> ls: cannot read symbolic link root: No such file or directory
>> ls: cannot read symbolic link exe: No such file or directory
>> attr/ cmdline environ fd/ mem root@ statm task/
>> auxv cwd@ exe@ maps mounts stat status wchan
>>
>> Never really having looked at /proc before, I don't know if the broken
>> links are significant, but they are all suspicious.
>>
> You didn't do ls -l to see the names of those nonexistent links?
>
>
Yes, I did, The other thing, as I noticed later, is that a directory ld/ is
listed there, but chkrootkit says it wasn't. Was it perhaps created in the
meantime?

In the reinstalled system, the directory /proc/5728 doesn't exist. What are
the numbers? Process numbers perhaps? It is my newbie understanding that
everything in /proc represents something of the nature of a process. Top
started a minute or two ago was No. 13800, and the highest number in
"ls /proc" is 13896, so that seems right.

A lot of similar directories have those links and they are valid. Cwd and
root point to "//" where the first slash is blue (a directory) and the
second is gray. exe points to /sbin/init. I remember seeing those in
other directories at the time, but the ones in 5728 went nowhere. I didn't
realize the distinction at the time. The first directory I chose to look
at just now wasn't there, but the process may have gone in the interim.

Doug L.
--
ICQ Number 178748389. Registered Linux User No. 277548.
Black as the devil, hot as hell,
Pure as an angel, sweet as love.
-- Talleyrand's recipe for coffee.

Doug Laidlaw wrote:
>
> In the reinstalled system, the directory /proc/5728 doesn't exist. What are
> the numbers? Process numbers perhaps? It is my newbie understanding that
> everything in /proc represents something of the nature of a process. Top
> started a minute or two ago was No. 13800, and the highest number in
> "ls /proc" is 13896, so that seems right.
>

The whole /proc filesystem is a peephole into the kernel
internals - all the files are pseudo-files with the contents
handled by code in kernel.

The numeric subdirectories in /proc are process-specific
directories with the process number as name. It is natural
thet the directories come and go as the corresponding
processes come and go.

There's little sense in trying to follow file alterations
in /proc.

HTH

--

Tauno Voipio
tauno voipio (at) iki fi