Yesterday I decided to run chkrootkit, and apart from the "top" and "find" commands being reported infected (which is ok afaik, everyone seems to have the same on any fresh installation), I realised the following was also reported: A) 5 "nscd" processes were hidden from the readdir and ps commands B) 1 suseplugger process was hidden from the readdir and ps commands Ok, I moved those files into a safe place for now, rebooted - and everything went fine until... I ran Yast2! y2base is reported hidden from the readdir and ps commands... Can someone advise me on this? Thanks! - Max -
Sorry, forgot to mention: chkrootkit v. 0.43 On Tuesday 17 August 2004 11:04, Maxim A Belushkin wrote:
Yesterday I decided to run chkrootkit, and apart from the "top" and "find" commands being reported infected (which is ok afaik, everyone seems to have the same on any fresh installation), I realised the following was also reported: A) 5 "nscd" processes were hidden from the readdir and ps commands B) 1 suseplugger process was hidden from the readdir and ps commands
Ok, I moved those files into a safe place for now, rebooted - and everything went fine until... I ran Yast2! y2base is reported hidden from the readdir and ps commands...
Can someone advise me on this?
Thanks!
- Max -
Can someone advise me on this?
Uuhhm, don't run stupid software??? Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.
On 8/17/04 4:14 AM, "Volker Kuhlmann"
Can someone advise me on this?
Uuhhm, don't run stupid software???
Volker
Uuhhm, do you have a better suggestion on how to check for hidden processes In a possible rooted box? I am sure you have a better answer... I am sure we all would like to know your answer!
On Tue, Aug 17, 2004 at 11:04:09AM +0200, Maxim A Belushkin wrote:
Yesterday I decided to run chkrootkit, and apart from the "top" and "find" commands being reported infected (which is ok afaik, everyone seems to have the same on any fresh installation), I realised the following was also reported: A) 5 "nscd" processes were hidden from the readdir and ps commands B) 1 suseplugger process was hidden from the readdir and ps commands
Ok, I moved those files into a safe place for now, rebooted - and everything went fine until... I ran Yast2! y2base is reported hidden from the readdir and ps commands...
Can someone advise me on this?
chkrootkit gets confused by NPTL threads. It will complain about _every_ application spawning threads. Robert -- Robert Schiele Tel.: +49-621-181-2517 Dipl.-Wirtsch.informatiker mailto:rschiele@uni-mannheim.de
Yesterday I decided to run chkrootkit, and apart from the "top" and "find" commands being reported infected (which is ok afaik, everyone seems to have the same on any fresh installation), I realised the following was also reported: A) 5 "nscd" processes were hidden from the readdir and ps commands B) 1 suseplugger process was hidden from the readdir and ps commands
Ok, I moved those files into a safe place for now, rebooted - and everything went fine until... I ran Yast2! y2base is reported hidden from the readdir and ps commands...
Can someone advise me on this?
chkrootkit gets confused by NPTL threads. It will complain about _every_ application spawning threads.
Right... We've stumbled over this a few weeks ago, getting reports and "severe" concerns. chkrootkit is braindead in more respects: It does the same thing as ps does (getdents(2) on /proc), and interprets the difference to be a kernel backdoor. Not very sane, and could use some improvement. We'll have a chkrootkit package soon. A collegue of mine has made an article available on the support database using the text I've written. It is available at: http://portal.suse.com/sdb/de/2004/08/pohletz_chroot_infected_progs.html
Robert
Thanks,
Roman.
--
- -
| Roman Drahtmüller
The Tuesday 2004-08-17 at 13:01 +0200, Roman Drahtmueller wrote:
A collegue of mine has made an article available on the support database using the text I've written. It is available at:
http://portal.suse.com/sdb/de/2004/08/pohletz_chroot_infected_progs.html
Using links: Error 404. Diese Seite gibt es nicht -- Cheers, Carlos Robinson
Carlos E. R. wrote:
http://portal.suse.com/sdb/de/2004/08/pohletz_chroot_infected_progs.html
Using links:
Error 404. Diese Seite gibt es nicht
I swear I saw the link working this afternoon... (but in German only, no English translation available yet :-( ). cheers, miguel
On Wed, Aug 18, 2004 at 02:05:54AM +0200, Carlos E. R. wrote:
http://portal.suse.com/sdb/de/2004/08/pohletz_chroot_infected_progs.html
Using links:
Error 404. Diese Seite gibt es nicht
It's a typo. "k" was missing. http://portal.suse.com/sdb/de/2004/08/pohletz_chkroot_infected_progs.html Regards, -Kastus
Hi, this is know bug(s) in 0.43 version. I fixed it and in some days 0.44 is out. Thanks for your interest in chkrootkit, ./nelson -murilo On Tue, Aug 17, 2004 at 11:04:09AM +0200, Maxim A Belushkin wrote:
Yesterday I decided to run chkrootkit, and apart from the "top" and "find" commands being reported infected (which is ok afaik, everyone seems to have the same on any fresh installation), I realised the following was also reported: A) 5 "nscd" processes were hidden from the readdir and ps commands B) 1 suseplugger process was hidden from the readdir and ps commands
Ok, I moved those files into a safe place for now, rebooted - and everything went fine until... I ran Yast2! y2base is reported hidden from the readdir and ps commands...
Can someone advise me on this?
Thanks!
- Max -
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (9)
-
Carlos E. R.
-
Kastus
-
Maxim A Belushkin
-
miguel listas
-
Nelson Murilo
-
Robert Schiele
-
Roman Drahtmueller
-
Sanz Family
-
Volker Kuhlmann