Re: Bug in chkrootkit ?

[entmoot () gmx de]

Hi,

On Wed Jul 30  01:30PM, Michael Weber wrote:
> Hi there,
> When starting "chkrootkit" (v 0.38) i get the Message:
>
> "You have 4 process hidden for ps command" and the hint for a probably
> installed "LKM Rootkit". So far, so good. "chkproc" with verbose option
> enabled (-v) say:
>
> [mw@zeus chkrootkit-0.38]# ./chkproc -v
> PID 26194: not in ps output
> PID 26195: not in ps output
> PID 26196: not in ps output
> PID 26197: not in ps output
> You have 4 process hidden for ps command
>
> That's fine, now we know the PID and can ask...
>
> [mw@zeus chkrootkit-0.38]# ps p 26194
> PID TTY      STAT   TIME COMMAND
> 26194 ?        S      0:00 named -u named
>
> Seems to be the name daemon, that's okay - a little nameserver for the
> local net (and only reachable by the local IP) is running. The 3 other
> deliver the same output.Looks like a bug in "chkrootkit" but - how safe
> can i be that this is really a bug and not a clever LKM? I guess that
> a rootkit will not be named "youhavebeencracked"...

Does a 'ps auxww' also show the named processes? If not, it's possible,
that chkrootkit is right. You also can look with netstat, if 'named'
really just listening on your local network. Also, you can try to
connect to those ports, to get it a bit clearer, what it really is.

greets, andreas


---------------------------------------------------------------------------
----------------------------------------------------------------------------