Security Basics mailing list archives
Re: False positive of chkrootkit or hacked?
From: John Doe <security.department () tele2 ch>
Date: Fri, 22 Apr 2005 07:47:49 +0200
Looks like it is really a false-positive. chkproc is not 100% accurate for high-usage servers. Now a request for you :) You said you use tripwire, do you use any log analysis tool? I'm developing a tool called "OSSEC HIDS" (not available yet), which came from the OsAudit (www.ossec.net/osaudit/) plus a integrity checker and context base analysis. Are you interested to help sending log samples? I'm trying to gather data from a very ample set of systems to be able to create very accurate rules and have a lot of data to test. If you can send some parts of your /var/log/messages, /var/log/secure or any other log file that you have, it would be great :) If you can send the whole file, it would be much better (if they are bigger, I can provide a sftp server to send it)... *any log sent will only be used for testings. After that they will be deleted. You can also modify them (changing ip addresses, etc)
Daniel, Thanks for your answer. I'll think about that (not enough time at the moment). All, thanks for the offlist answers and the hints that this was not the appropriate list (sorry for that, I see it now). joe [nothing new below]
thanks, -- Daniel B. Cid, CISSP daniel.cid @ ( at ) gmail.com --- John Doe <security.department () tele2 ch> wrote:Hi all (I think it's not a chkrootkit specific question... sorry if I see this wrong) This morning I realized following warnings of chkrootkit 0.44 in mails sent by cron: at 2005-4-14, 2005-4-15 and 2005-4-17: You have 5 process hidden for readdir command You have 5 process hidden for ps command Warning: Possible LKM Trojan installed and at 2005-4-16: You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Months before as well as until today, no such warnings. == I think - but am not sure, thus my question to this list - these are false positives, and I like to know your opinion about that. == I have following reasons to think of false positives: [+] http://www.chkrootkit.org/faq/, 6.: "If you run chkproc on a server that runs lots of short time processes it could report some false positives. chkproc compares the ps output with the /proc contents. If processes are created/killed during this operation chkproc could point out these PIDs as suspicious." [++] I run a _static_ kernel (gentoo 2.4.28-hardened-r5) [++] I install patches on a daily basis (with some exceptions when absent) after tests on a local test box, so the system should be actual [+] no shell/ssh/... access by others [+] It's a server with a small amount of software/services (a) 127.0.0.1:3306 (mysql) 127.0.0.1:110 127.0.0.1:9999 (backend apache) [ip1]:80 (frontend apache) [3] 127.0.0.1:8082 (backend apache) 127.0.0.1:8083 (backend apache) [ip1]:53 ("hidden" bind9) [1] 127.0.0.1:53 127.0.0.1:8888 (backend apache) 127.0.0.1:953 [ip1]:25 (postfix, public) 127.0.0.1:25 [ip2]:443 [ip1]:[highport] (ssh2) [2] [1] accessible only from slave DNSs (by config/firewall) [2] no ip restrictions, only pubkeyauth [3] serving "only" a mod_perl app (via backend) and static pages; no php, cgi etc. [++] cron restarts, just before running chkrootkit, a apache mod_perl application which takes, when havily used, several seconds to restart. At the time of the chrootkit warnings, it was actually heavily used during the day. Additionally, there are 5 apache backend processes started (coincidence with the 5 hidden processes mentioned by chkrootkit) == On the other side, [-] tripwire runs, but... *shameonme* [-] all services on a single server, including firewall, due to budget == Any comments on the probability of beeing hacked (and others, of course) are very appreciated, thanks in advance! joe
Current thread:
- False positive of chkrootkit or hacked? John Doe (Apr 20)
- Re: False positive of chkrootkit or hacked? John Doe (Apr 22)