Security Basics mailing list archives
Re: Bug in chkrootkit ?
From: Alex 'CAVE' Cernat <cave () cernat ro>
Date: Wed, 30 Jul 2003 19:52:13 +0300
"You have 4 process hidden for ps command" and the hint for a probably installed "LKM Rootkit". So far, so good. "chkproc" with verbose option enabled (-v) say: [mw@zeus chkrootkit-0.38]# ./chkproc -v PID 26194: not in ps output PID 26195: not in ps output PID 26196: not in ps output PID 26197: not in ps output You have 4 process hidden for ps command
try a better thing: ls -l /proc/$pid/exe - this command will give you the real path of the executable 'name', which can be even '/usr/man/man1/xxx/whatever/named' also you can try ls -l /proc/$pid/fd/ - list of file descriptors opened by process $pid i had a server cracked and chrootkit report me 2 process hidden; and they we're on my system, hidden for ps and top, but not enough hidden for absolute path i'm not sure, but i believe that a lkm is clever enough (ie. very good programmed), it can really 'wipe' a file/process/??? from the system, so it's hard sometimes to diagnose your server Alex --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Bug in chkrootkit ? Michael Weber (Jul 30)
- RE: Bug in chkrootkit ? Todd Mitchell - lists (Jul 30)
- Re: Bug in chkrootkit ? Michael Weber (Jul 30)
- RE: Bug in chkrootkit ? Todd Mitchell - lists (Jul 30)
- Re: Bug in chkrootkit ? Michael Weber (Jul 30)
- Re: Bug in chkrootkit ? Alex 'CAVE' Cernat (Jul 30)
- Re: Bug in chkrootkit ? Alex 'CAVE' Cernat (Jul 30)
- Re: Bug in chkrootkit ? Juraj Ziegler (Jul 31)
- Re: Bug in chkrootkit ? Douglas J Hunley (Jul 30)
- Re: Bug in chkrootkit ? shrek-m () gmx de (Jul 30)
- Re: Bug in chkrootkit ? entmoot (Jul 30)
- Re: Bug in chkrootkit ? Tony Meman (Jul 30)
- RE: Bug in chkrootkit ? Todd Mitchell - lists (Jul 30)