Test with Chkrootkit
Norman Nunn
npnunn at swbell.net
Sun Jul 25 19:42:59 UTC 2004
Michael, chkproc produced the same 22 hidden programs that chkrootkit
before I upgraded to chkrootkit-043.
Norm
On Sun, 2004-07-25 at 10:09, Michael Schwendt wrote:
> On Sun, 25 Jul 2004 12:14:46 -0400, Scot L. Harris wrote:
>
> > On Sun, 2004-07-25 at 11:52, Norman Nunn wrote:
> > > I got the following indicators:
> > >
> > > ls INFECTED
> > > 22 process hidden for readdir command
> > > 22 process hidden for ps command
> > > Warning: Possible LKM Trojan installed
> > >
> > > The number of hidden command changes.
> > >
> > > Thanks for your input.
> > >
> >
> > chkrootkit reports 11 hidden processes on my laptop. But that number
> > may vary depending on what you are running.
> >
> > Of more concern is the ls INFECTED output in your partial report.
> > See if you can get a good copy of ls and compare the byte size, md5sum
> > and permissions on it. Below is what my system reports.
> >
> > -rwxr-xr-x 1 root root 80688 May 4 12:26 /bin/ls
> >
> > md5sum /bin/ls
> > d319011a3eb49338fe333753b0cfd7bc /bin/ls
> >
> > You need to track that down asap to figure out what that is.
> >
> > It has been awhile but I ran through the exercise to examine what
> > processes were hidden. I want to say it was the ones in []'s when you
> > do a ps -eaf but I don't know if I remember that correctly.
> >
> > I am sure someone here will set me straight on this. :)
>
> With chkrootkit comes a tool called "chkproc". Run it with option -v
> and examine the listed processes via their hidden directories below
> /proc, e.g.
>
> # cd /usr/lib/chkrootkit-0.43
> # ./chkproc -v
> 4348 is a Linux Thread, marking as such...
> # cd /proc/4348
>
More information about the fedora-list
mailing list