Security Basics mailing list archives
False positive of chkrootkit or hacked?
From: John Doe <security.department () tele2 ch>
Date: Wed, 20 Apr 2005 10:19:17 +0200
Hi all (I think it's not a chkrootkit specific question... sorry if I see this wrong) This morning I realized following warnings of chkrootkit 0.44 in mails sent by cron: at 2005-4-14, 2005-4-15 and 2005-4-17: You have 5 process hidden for readdir command You have 5 process hidden for ps command Warning: Possible LKM Trojan installed and at 2005-4-16: You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Months before as well as until today, no such warnings. == I think - but am not sure, thus my question to this list - these are false positives, and I like to know your opinion about that. == I have following reasons to think of false positives: [+] http://www.chkrootkit.org/faq/, 6.: "If you run chkproc on a server that runs lots of short time processes it could report some false positives. chkproc compares the ps output with the /proc contents. If processes are created/killed during this operation chkproc could point out these PIDs as suspicious." [++] I run a _static_ kernel (gentoo 2.4.28-hardened-r5) [++] I install patches on a daily basis (with some exceptions when absent) after tests on a local test box, so the system should be actual [+] no shell/ssh/... access by others [+] It's a server with a small amount of software/services (a) 127.0.0.1:3306 (mysql) 127.0.0.1:110 127.0.0.1:9999 (backend apache) [ip1]:80 (frontend apache) [3] 127.0.0.1:8082 (backend apache) 127.0.0.1:8083 (backend apache) [ip1]:53 ("hidden" bind9) [1] 127.0.0.1:53 127.0.0.1:8888 (backend apache) 127.0.0.1:953 [ip1]:25 (postfix, public) 127.0.0.1:25 [ip2]:443 [ip1]:[highport] (ssh2) [2] [1] accessible only from slave DNSs (by config/firewall) [2] no ip restrictions, only pubkeyauth [3] serving "only" a mod_perl app (via backend) and static pages; no php, cgi etc. [++] cron restarts, just before running chkrootkit, a apache mod_perl application which takes, when havily used, several seconds to restart. At the time of the chrootkit warnings, it was actually heavily used during the day. Additionally, there are 5 apache backend processes started (coincidence with the 5 hidden processes mentioned by chkrootkit) == On the other side, [-] tripwire runs, but... *shameonme* [-] all services on a single server, including firewall, due to budget == Any comments on the probability of beeing hacked (and others, of course) are very appreciated, thanks in advance! joe
Current thread:
- False positive of chkrootkit or hacked? John Doe (Apr 20)
- Re: False positive of chkrootkit or hacked? John Doe (Apr 22)