-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SuSE 9.0 Just ran chkroot (chkrootkit-0.43, Sat Dec 27 2003) and it gave the results Checking `top'... INFECTED and Checking `lkm'... You have 5 process hidden for ps command I found these commands were in an rpm updated w/ synaptic recently, ps_2003.11.17-18_i586.rpm. The file can be found at ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386/RPMS.suse-people I renamed top, re-installed the rpm but chkroot still shows the same result. top's size is 81.5kb and has a modified date of 2004-01-20 #top -h top: procps version 3.1.14 Is this an issue or is chkroot being fooled by the newer version? I'm also curious about the "Checking `lkm'... You have 5 process hidden for ps command" result. Whats up with that? Thanks for your ideas - -- dh -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAG/R+BwgxlylUsJARAixkAJ47XBzOML9Qzca7NlfD2+sIcLbqKwCfWdwJ yplVdSAhtYrWMShy37v/jfk= =h9Le -----END PGP SIGNATURE-----
On Saturday 31 January 2004 1:31 pm, David Herman wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SuSE 9.0 Just ran chkroot (chkrootkit-0.43, Sat Dec 27 2003) and it gave the results Checking `top'... INFECTED and Checking `lkm'... You have 5 process hidden for ps command
It's worth noting that chkrootkit does not appear to be part of the SuSE 9.0 distribution. Paul Abrahams
* David Herman; <mesamoo115@comcast.net> on 31 Jan, 2004 wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
SuSE 9.0 Just ran chkroot (chkrootkit-0.43, Sat Dec 27 2003) and it gave the results Checking `top'... INFECTED and Checking `lkm'... You have 5 process hidden for ps command
disconnect the machine from the internet NOW. make a backup of your data files (no executables nor librarries) Make a fresh install update all the packages using YOU
Is this an issue or is chkroot being fooled by the newer version? I'm also curious about the "Checking `lkm'... You have 5 process hidden for ps command" result. Whats up with that?
You have been r00ted :-( -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
* Togan Muftuoglu; <toganm@dinamizm.com> on 31 Jan, 2004 wrote:
disconnect the machine from the internet NOW. make a backup of your data files (no executables nor librarries) Make a fresh install update all the packages using YOU
Is this an issue or is chkroot being fooled by the newer version? I'm also curious about the "Checking `lkm'... You have 5 process hidden for ps command" result. Whats up with that?
You have been r00ted :-(
Actually it would be a better idea to give a reference point so learning also takes place http://www.cert.org/tech_tips/win-UNIX-system_compromise.html -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 31 January 2004 11:59 am, Togan Muftuoglu wrote:
* Togan Muftuoglu; <toganm@dinamizm.com> on 31 Jan, 2004 wrote:
disconnect the machine from the internet NOW. make a backup of your data files (no executables nor librarries) Make a fresh install update all the packages using YOU
Is this an issue or is chkroot being fooled by the newer version? I'm also curious about the "Checking `lkm'... You have 5 process hidden for ps command" result. Whats up with that?
You have been r00ted :-(
Actually it would be a better idea to give a reference point so learning also takes place
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
Thanks for the link, I'll start reading. I'm curious though if checkroot couldn't be confused by a newer version of a command. As for the "5 process hidden for ps", is there a way for me to find out what these proscesses are? As further investigation I installed the previous rpm (ps-2003.9.20-6.i586.rpm) from SuSE and then ran checkroot again, this time no errors were reported. Then reinstalled the rpm from the apt repository and the errors appear again. I know this doesn't mean that I haven't been rooted but it really points a finger at the ps_2003.11.17-18_i586.rpm from ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386/RPMS.suse-people (the apt archive) If so anyone using apt for their upgrades should be concerned about this. I'd appreciate it if anyone else who has installed that rpm could confirm my findings. I eagerly await your replies:-) - -- dh Don't shop at GoogleGear.com! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAHD/GBwgxlylUsJARAnikAJwLyt5NlD98oQjPQmMwJ9AUcqJEDgCfeid3 ockr/c446SO+XneADDGhzn0= =XvOJ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry to keep replying to my own posts but I fear others may have lost interest. Here's another update On Saturday 31 January 2004 03:52 pm, David Herman wrote: > ran chkroot (chkrootkit-0.43, Sat Dec 27 2003) and it gave the > results > Checking `top'... INFECTED > and > Checking `lkm'... You have 5 process hidden for ps command - ---------------snip--------------- > I'm curious if checkroot couldn't be confused by a newer > version of a command. As for the "5 process hidden for ps", is there > a way for me to find out what these proscesses are? > > As further investigation I installed the previous rpm > (ps-2003.9.20-6.i586.rpm) from SuSE and then ran checkroot again, > this time no errors were reported. Then reinstalled the rpm from the > apt repository and the errors appear again. Continuing my investigation I booted up my test machine w/ SuSE 9.0 ran checkrootkit and it showed all clean. Then I used synaptic and updated ps (ps_2003.11.17-18_i586.rpm) and nothing else then I ran chkroot again and the errors are there. Once again, the rpm leading to the error was downloaded w/synaptic and can be found at ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386/RPMS.suse-people/ps_2003.11.17-18_i586.rpm and checkrootkit is available at http://www.chkrootkit.org/ the version (chkrootkit 0.43) is dated Sat Dec 27 2003 If it's not a mistake on the part of checkrootkit (which I suspect it may be) then I would suggest that anyone who has performed that update take the appropriate steps. Yes I'm hoping not to do a re-install, I just finished setting this system up from a fresh ftp install less than 2 weeks ago, and it required alot of re-configuration. I really don't want to go through that again if I don't have to. I eagerly await your responses. - -- dh -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAHI3UBwgxlylUsJARArfbAJ4kRaRsGN3uchfVL3FKqr2ZX7iIRQCbBKgm clFQvj/cy3ei8112a+OF4qE= =NDHr -----END PGP SIGNATURE-----
On Sunday 01 February 2004 06.25, David Herman wrote:
Continuing my investigation I booted up my test machine w/ SuSE 9.0 ran checkrootkit and it showed all clean. Then I used synaptic and updated ps (ps_2003.11.17-18_i586.rpm) and nothing else then I ran chkroot again and the errors are there.
chkrootkit is reacting to the string /prof in top. That string isn't in the src.rpm, but it is in the binary. That alone is very suspicious. It does look like kraxel's binaries are infected. I wonder what other niceties are in the binaries in the apt repo
Op zondag 1 februari 2004 07:10, schreef Anders Johansson:
On Sunday 01 February 2004 06.25, David Herman wrote:
Continuing my investigation I booted up my test machine w/ SuSE 9.0 ran checkrootkit and it showed all clean. Then I used synaptic and updated ps (ps_2003.11.17-18_i586.rpm) and nothing else then I ran chkroot again and the errors are there.
chkrootkit is reacting to the string /prof in top. That string isn't in the src.rpm, but it is in the binary. That alone is very suspicious. It does look like kraxel's binaries are infected. I wonder what other niceties are in the binaries in the apt repo
chkrootkit :) so you can; apt -y install chkrootkit -- Richard Bos Without a home the journey is endless
On Sunday 01 February 2004 20.25, Richard Bos wrote:
Op zondag 1 februari 2004 07:10, schreef Anders Johansson:
On Sunday 01 February 2004 06.25, David Herman wrote:
Continuing my investigation I booted up my test machine w/ SuSE 9.0 ran checkrootkit and it showed all clean. Then I used synaptic and updated ps (ps_2003.11.17-18_i586.rpm) and nothing else then I ran chkroot again and the errors are there.
chkrootkit is reacting to the string /prof in top. That string isn't in the src.rpm, but it is in the binary. That alone is very suspicious. It does look like kraxel's binaries are infected. I wonder what other niceties are in the binaries in the apt repo
chkrootkit :)
so you can; apt -y install chkrootkit
:) yeah, but do you really want to install that from the same source as the packages you suspect are infected?
Op zondag 1 februari 2004 20:37, schreef Anders Johansson:
chkrootkit :)
so you can; apt -y install chkrootkit
:)
yeah, but do you really want to install that from the same source as the packages you suspect are infected?
Are they from the same source? The apt repository is nothing more than glueing several spread out directories into one location. As you probably already have seen the glueing is done using links. The chkrootkit rpm comes from me, and as you already pointed out the ps-20031117 rpm comes from kraxel. This to me seems different sources. I run chkrootkit on my box and no infections found. -- Richard Bos Without a home the journey is endless
On Sunday 01 February 2004 21.03, Richard Bos wrote:
Are they from the same source? The apt repository is nothing more than glueing several spread out directories into one location. As you probably already have seen the glueing is done using links. The chkrootkit rpm comes from me, and as you already pointed out the ps-20031117 rpm comes from kraxel. This to me seems different sources. I run chkrootkit on my box and no infections found.
OK, I didn't check where chkrootkit came from, sorry. The suspicious ps package is identical on suse.com and on gwdg.de, so it seems that if something has been compromised it's on suse.com. My first reaction was to call for the packages to be signed, even if they were in /pub/people, so we can be sure the mirrors aren't compromised (still a good idea), but if the original source is bad even that won't help
On Sat, 31 Jan 2004, David Herman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Sorry to keep replying to my own posts but I fear others may have lost > interest. Here's another update > > On Saturday 31 January 2004 03:52 pm, David Herman wrote: > > ran chkroot (chkrootkit-0.43, Sat Dec 27 2003) and it gave the > > results > > Checking `top'... INFECTED > > and > > Checking `lkm'... You have 5 process hidden for ps command > - ---------------snip--------------- You should definitely follow Gar's suggestion and post this on the suse-security list as that may trigger a much more rapid response from the people who would be most concerned with the potential problem. Best regards, Alex.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 01 February 2004 08:26 am, Alex Angerhofer wrote:
On Sat, 31 Jan 2004, David Herman wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Sorry to keep replying to my own posts but I fear others may have lost interest. Here's another update
On Saturday 31 January 2004 03:52 pm, David Herman wrote:
ran chkroot (chkrootkit-0.43, Sat Dec 27 2003) and it gave the results Checking `top'... INFECTED and Checking `lkm'... You have 5 process hidden for ps command
- ---------------snip---------------
You should definitely follow Gar's suggestion and post this on the suse-security list as that may trigger a much more rapid response from the people who would be most concerned with the potential problem.
I was going to but I've got to get out the door and I haven't recieved a confirmation from the security list yet (just signed up). I'd appreciate it if someone who is on that list could make a mention of this issue. If not I'' do so this afternoon. Thanks - -- dh -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAHT2SBwgxlylUsJARAtl6AJ4nJtSiiJRFjCJ30uhD6fGnmoZWRACfdTey bRuihug2Lwx9XZ92ykCBy3c= =E/2J -----END PGP SIGNATURE-----
* David Herman; <mesamoo115@comcast.net> on 01 Feb, 2004 wrote:
I was going to but I've got to get out the door and I haven't recieved a confirmation from the security list yet (just signed up). I'd appreciate it if someone who is on that list could make a mention of this issue. If not I'' do so this afternoon. Thanks
Just make sure that machine is not connected to any NETWORK (local or internet) until you can prove chkrootkit is mistaken ( I doubt) You may have other problems if the machine stays connected to NET -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If anyone is looking for it checkrootkit is available at http://www.chkrootkit.org/ I am using version chkrootkit 0.43 see ya - -- dh -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAHECsBwgxlylUsJARAgd4AJ9wpoxDqizFrG/y7FDTScZGh4pyWwCgmKPw LfeApuDH715VMwtgNahu2RU= =SuO9 -----END PGP SIGNATURE-----
Hi,
Is this an issue or is chkroot being fooled by the newer version? I'm also curious about the "Checking `lkm'... You have 5 process hidden for ps command" result. Whats up with that?
I don't know what chkrootkit has with top, but the ps is broken I think. Observe: # ./chkrootkit -x lkm ROOTDIR is `/' ### ### Output of: ./chkproc -v -v ### PID 4: not in ps output CWD 4: / EXE 4: / PID 5: not in ps output CWD 5: / EXE 5: / PID 6: not in ps output CWD 6: / EXE 6: / PID 7: not in ps output CWD 7: / EXE 7: / PID 8: not in ps output CWD 8: / EXE 8: / You have 5 process hidden for ps command# ps ax And now ps ax (not the whole thing) PID TTY STAT TIME COMMAND 1 ? S 0:04 init [5] 2 ? SW 0:00 [keventd] 3 ? SW 0:00 [kapmd] 0 ? SWN 0:00 [ksoftirqd_CPU0] 0 ? SW 0:02 [kswapd] 0 ? SW 0:00 [bdflush] 0 ? SW 0:00 [kupdated] 0 ? SW 0:00 [kinoded] 9 ? SW 0:00 [mdrecoveryd] 17 ? SW< 0:00 [lvm-mpd] 25 ? SW 0:01 [kjournald] ps gives a pid of 0 for 5 processes. So that ps version has a bug. BB, Arjen
participants (7)
-
Alex Angerhofer -
Anders Johansson -
Arjen Runsink -
David Herman -
Paul W. Abrahams -
Richard Bos -
Togan Muftuoglu