Mailinglist Archive: opensuse-es (1800 mails)

< Previous Next >
Re: [suse-linux-s] repositorio apt [Fwd: [suse-security] chkroot claims top infected]
  • From: jose maria <letrados@xxxxxxxxxxxx>
  • Date: Mon, 2 Feb 2004 22:36:12 +0100
  • Message-id: <200402022236.14459.letrados@xxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

El Lunes, 2 de Febrero de 2004 21:37, miguel calero escribió:
> Alquien puede traducir esto a un lenguaje cristiano? Es decir, no al
> castellano, sino al no/tecnico. No uso apt, pero tengo verdadera
> curiosidad!
>
* Es un falso positivo,

- ----------------------------------------------------------------
I think this is a false positive from chkrootkit. I downloaded the ps
package
from ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386 and indeed
there is "/prof" string in ps and top. But this is ok. The string
is inside .text and is executable code. This is:

...
0x8055205:      call   0x8049700                        strtoul()

0x805520a:      mov    0xc(%ebp),%edx
0x805520d:      mov    %eax,0x1b8(%edx)
0x8055213:      mov    %eax,(%edx)

0x8055215:      movl   $0x6f72702f,(%esi)               ; /prof
0x805521b:      movw   $0x2f63,0x4(%esi)

0x8055221:      mov    0x226fc(%ebx),%eax
0x8055227:      add    $0xb,%eax
0x805522a:      mov    %eax,0x4(%esp,1)
0x805522e:      lea    0x6(%esi),%eax
0x8055231:      mov    %eax,(%esp,1)

0x8055234:      call   0x8049780                        strcpy()
...


The code in C is:

        pid = strtoul(ent->d_name, NULL, 10);
        memcpy(path, "/proc/", 6);
        strcpy(path+6, ent->d_name);

and comes from the original ps source. The compiler optimized the memcpy()
into a movl+movw since /pro is 32 bit and the left 2 byte are copied
via movw. This just yields "/prof" string in .text.


regards,
Sebastian
- - ----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFAHsLMAXFL65CppEIRAoYaAJ4scGzpPpqog9UBHdQNMnsM1VdvOwCdHwth
aHq1uiKWtdQ3MvfQEI8//WI=
=xn7f
-----END PGP SIGNATURE-----
< Previous Next >