-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, JFYI, for those of you who are not on suse-security... Seems like it was (fortunately) a false alarm. But still, I too would appreciate if the packages in the "people" directory were signed at least with the developer's key. Bye, LenZ - -- - ------------------------------------------------------------------ Lenz Grimmer <lenz@grimmer.com> -o) [ICQ: 160767607 | Jabber: LenZGr@jabber.org] /\\ http://www.lenzg.org/ V_V - ---------- Forwarded message ---------- Date: Mon, 2 Feb 2004 12:42:36 +0100 (CET) From: Sebastian Krahmer <krahmer@suse.de> To: dh <mesamoo@comcast.net> Cc: suse-security@suse.com Subject: Re: [suse-security] chkroot claims top infected On Sun, 1 Feb 2004, dh wrote: Hi, I think this is a false positive from chkrootkit. I downloaded the ps package from ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386 and indeed there is "/prof" string in ps and top. But this is ok. The string is inside .text and is executable code. This is: ... 0x8055205: call 0x8049700 strtoul() 0x805520a: mov 0xc(%ebp),%edx 0x805520d: mov %eax,0x1b8(%edx) 0x8055213: mov %eax,(%edx) 0x8055215: movl $0x6f72702f,(%esi) ; /prof 0x805521b: movw $0x2f63,0x4(%esi) 0x8055221: mov 0x226fc(%ebx),%eax 0x8055227: add $0xb,%eax 0x805522a: mov %eax,0x4(%esp,1) 0x805522e: lea 0x6(%esi),%eax 0x8055231: mov %eax,(%esp,1) 0x8055234: call 0x8049780 strcpy() ... The code in C is: pid = strtoul(ent->d_name, NULL, 10); memcpy(path, "/proc/", 6); strcpy(path+6, ent->d_name); and comes from the original ps source. The compiler optimized the memcpy() into a movl+movw since /pro is 32 bit and the left 2 byte are copied via movw. This just yields "/prof" string in .text. regards, Sebastian

I brought up this issue on the SuSE English List (SLE) and it was suggested that I should pass my information along to this list.

What follows is a cut and past of the thread from SLE...

I just ran chkroot (chkrootkit-0.43, Sat Dec 27 2003) and it gave the results Checking `top'... INFECTED and Checking `lkm'... You have 5 process hidden for ps command

I found these commands were in an rpm updated w/ synaptic recently, ps_2003.11.17-18_i586.rpm. The file can be found at ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386/RPMS.suse-people

top's size is 81.5kb and has a modified date of 2004-01-20 #top -h top: procps version 3.1.14

As further investigation I installed the previous rpm (ps-2003.9.20-6.i586.rpm) from SuSE and then ran checkroot again, this time no errors were reported. Then reinstalled the rpm from the apt repository and the errors appear again.

I know this doesn't mean that I haven't been rooted but it really points a finger at the ps_2003.11.17-18_i586.rpm from ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386/RPMS.suse-people (the apt archive) If so anyone using apt for their upgrades should be concerned about this.

Continuing my investigation I booted up my test machine w/ SuSE 9.0 ran checkrootkit and it showed all clean. Then I used synaptic and updated ps (ps_2003.11.17-18_i586.rpm) and nothing else then I ran chkroot again and the errors are there.

Anders Johansson wrote (from 3 separate messages):

chkrootkit is reacting to the string /prof in top. That string isn't in the src.rpm, but it is in the binary. That alone is very suspicious. It does look like kraxel's binaries are infected. I wonder what other niceties are in the binaries in the apt repo

The suspicious ps package is identical on suse.com and on gwdg.de, so it seems that if something has been compromised it's on suse.com. The problem is in the "top" in the ps package from /pub/people/kraxel The top binary in that contains the string "/prof", which chkrootkit detects as a sign of an infected binary

That string isn't in the src.rpm from kraxel's directory, and if you rebuild the rpm from that src.rpm you also won't see that string.

And finally a long quote from Ivan Sergio Borgonovo :

I've done all these things Installed ps through apt Installed ps from DVD Compiled and installed ps from ftp.suse.com Installed chkrootkit from source Installed chkrootkit from apt

and the result ranged from no infected packages, no modules loaded to, top or/and ps infected and hidden modules etc...

I doubt that just substituting 2 binaries I can "unload" trojan modules.

I gave a look at the sources of chkrootkit and discovered which binary was checking for "hidden" modules. I discovered it has an option -v and got this output

stige:~ # chkproc -v PID 3: not in ps output PID 4: not in ps output PID 5: not in ps output PID 6: not in ps output You have 4 process hidden for ps command

then I did...

// edited to fit in email stige:~ # ps aux USER PID VSZ RSS TTY STAT START TIME COMMAND root 1 620 256 ? S 22:00 0:04 init [3] root 2 0 0 ? SW 22:00 0:00 [keventd] root 0 0 0 ? SWN 22:00 0:00 [ksoftirqd_CPU0] root 0 0 0 ? SW 22:00 0:00 [kswapd] root 0 0 0 ? SW 22:00 0:00 [bdflush] root 0 0 0 ? SW 22:00 0:00 [kupdated] root 8 0 0 ? SW 22:00 0:00 [khubd] root 9 0 0 ? SW< 22:00 0:00 [mdrecoveryd]

Curiously enough /proc/3 is actually ksoftirqd_CPU0 /proc/4 is kswapd ... bdflush, kupdated

out of panic mode: reasonable???

So there you have it. I would love to post back to the SLE and apt4SuSE lists that this is a non-issue but if there really is a problem then I am sure that the great minds on this list will be able to help.

Thanks for your time and I do apologize if I've broken any etiquette, I just don't have time to read the whole FAQ, or search the archives right now .

-- dh

- -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~ - -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQFAHlZ5SVDhKrJykfIRAoGoAJ9kLWJ/8pHN4S4k2iZPxQFeI3QXIwCeLBW2 S+AysSlIRdwbrpyG1V+ymoQ= =88yp -----END PGP SIGNATURE-----