Anders Johansson <andjoh@rydsbo.net> wrote:
On Sunday 01 February 2004 06.25, David Herman wrote:
Continuing my investigation I booted up my test machine w/ SuSE 9.0 ran checkrootkit and it showed all clean.
Then I used synaptic and updated ps (ps_2003.11.17-18_i586.rpm) and nothing else then I ran chkroot again and the errors are there.
chkrootkit is reacting to the string /prof in top. That string isn't in the src.rpm, but it is in the binary. That alone is very suspicious. It does look like kraxel's binaries are infected.
I wonder what other niceties are in the binaries in the apt repo
David, compared to you and Anders, I am just a lost babe in the woods, but given what you have done and Togan's comment 3 emails back: http://lists.suse.com/archive/suse-linux-e/2004-Jan/4610.html I am surprized that you have not posted this on suse-security mailing list: http://www.suse.com/us/private/support/online_help/mailinglists/index.html Or maybe you have and I just missed it. Friendly greetings, Gar -- __________________________________________________________________ New! Unlimited Netscape Internet Service. Only $9.95 a month -- Sign up today at http://isp.netscape.com/register Act now to get a personalized email address! Netscape. Just the Net You Need.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 31 January 2004 11:14 pm, GarUlbricht7@netscape.net wrote:
I am surprized that you have not posted this on suse-security mailing list: http://www.suse.com/us/private/support/online_help/mailinglists/index .html
Or maybe you have and I just missed it.
- ----------snip-------- Actually I wasn't on that list until just now, I'll post there shortly unless someone beats me to it. I was really hoping that checkroot was giving a false positive. I did fill out the webform at feedback.suse but who knows how long that will take. see ya - -- dh Don't shop at GoogleGear.com! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAHTwdBwgxlylUsJARAjxMAJ9wUueQE/AAJTYTmD+eTYYKoqBkKgCePO8F 4lM2N67wdXLn8U1Cvv+t38w= =+/x1 -----END PGP SIGNATURE-----
Hi, Am Sonntag, 1. Februar 2004 18:49 schrieb David Herman:
I was really hoping that checkroot was giving a false positive. I did fill out the webform at feedback.suse but who knows how long that will take.
You won't get a reply (other than the automatic one). The feedback form is by no means a support interface: http://portal.suse.com/sdb/en/2001/10/bugreport.html BTW: you might want to check what rpm thinks about your top binary: rpm -Vf $(which top) Of course: *if* your system is rooted, then you can't trust the output of rpm on that system either. But *if* rpm reports a changed MD5 checksum on the top binary (see "man rpm" for how to interpret the output of "rpm -V ..."), then you know you're done. I use chkrootkit-0.43 and get no alarm on my SUSE 9.0. "rpm -Vf $(which top)" reports nothing here: linux:~ # /usr/local/src/chkrootkit-0.43/chkrootkit | grep top Checking `top'... not infected linux:~ # rpm -Vf $(which top) linux:~ # Greetings from Bremen hartmut
On Sunday 01 February 2004 20.17, Hartmut Meyer wrote:
I use chkrootkit-0.43 and get no alarm on my SUSE 9.0. "rpm -Vf $(which top)" reports nothing here:
linux:~ # /usr/local/src/chkrootkit-0.43/chkrootkit | grep top Checking `top'... not infected linux:~ # rpm -Vf $(which top) linux:~ #
The problem is in the "top" in the ps package from /pub/people/kraxel The top binary in that contains the string "/prof", which chkrootkit detects as a sign of an infected binary That string isn't in the src.rpm from kraxel's directory, and if you rebuild the rpm from that src.rpm you also won't see that string.
Hi, Am Sonntag, 1. Februar 2004 20:22 schrieb Anders Johansson:
On Sunday 01 February 2004 20.17, Hartmut Meyer wrote:
I use chkrootkit-0.43 and get no alarm on my SUSE 9.0. "rpm -Vf $(which top)" reports nothing here:
linux:~ # /usr/local/src/chkrootkit-0.43/chkrootkit | grep top Checking `top'... not infected linux:~ # rpm -Vf $(which top) linux:~ #
The problem is in the "top" in the ps package from /pub/people/kraxel The top binary in that contains the string "/prof", which chkrootkit detects as a sign of an infected binary
That string isn't in the src.rpm from kraxel's directory, and if you rebuild the rpm from that src.rpm you also won't see that string.
I admit: I hadn't followed the thread - I was not aware that this was about the rpm package from the people/kraxel directory. I have no clue about that but have forwarded your comments. Greetings from Bremen hartmut
Op zondag 1 februari 2004 20:17, schreef Hartmut Meyer:
I use chkrootkit-0.43 and get no alarm on my SUSE 9.0. "rpm -Vf $(which top)" reports nothing here:
linux:~ # /usr/local/src/chkrootkit-0.43/chkrootkit | grep top Checking `top'... not infected linux:~ # rpm -Vf $(which top) linux:~ #
But what happens if you install the rpm ps;2003.11.17-18 provided at: ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386/RPMS.suse-people/? (as you can see the rpm here is just a link into the suse-people directories) -- Richard Bos Without a home the journey is endless
But what happens if you install the rpm ps;2003.11.17-18 provided at: ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386/RPMS.suse-people/? (as you can see the rpm here is just a link into the suse-people
On Sunday 01 February 2004 2:28 pm, Richard Bos wrote: directories) What's the consensus here -- is that package safe to install, or not? Paul Abrahams
After replacing, rebuilding and getting scared to death... Consider that last time I did some semi-serious security stuff I was 14/15, reverse engineering CShow, IANAS (I'm not a sysadmin), that said... I've done all these things Installed ps through apt Installed ps from DVD Compiled and installed ps from ftp.suse.com Installed chkrootkit from source Installed chkrootkit from apt and the result ranged from no infected packages, no modules loaded to, top or/and ps infected and hidden modules etc... I doubt that just substituting 2 binaries I can "unload" trojan modules. I gave a look at the sources of chkrootkit and discovered which binary was checking for "hidden" modules. I discovered it has an option -v and got this output stige:~ # chkproc -v PID 3: not in ps output PID 4: not in ps output PID 5: not in ps output PID 6: not in ps output You have 4 process hidden for ps command then I did... // edited to fit in email stige:~ # ps aux USER PID VSZ RSS TTY STAT START TIME COMMAND root 1 620 256 ? S 22:00 0:04 init [3] root 2 0 0 ? SW 22:00 0:00 [keventd] root 0 0 0 ? SWN 22:00 0:00 [ksoftirqd_CPU0] root 0 0 0 ? SW 22:00 0:00 [kswapd] root 0 0 0 ? SW 22:00 0:00 [bdflush] root 0 0 0 ? SW 22:00 0:00 [kupdated] root 8 0 0 ? SW 22:00 0:00 [khubd] root 9 0 0 ? SW< 22:00 0:00 [mdrecoveryd] Curiously enough /proc/3 is actually ksoftirqd_CPU0 /proc/4 is kswapd ... bdflush, kupdated out of panic mode: reasonable???
Op zondag 1 februari 2004 22:54, schreef Ivan Sergio Borgonovo:
// edited to fit in email stige:~ # ps aux USER PID VSZ RSS TTY STAT START TIME COMMAND root 1 620 256 ? S 22:00 0:04 init [3] root 2 0 0 ? SW 22:00 0:00 [keventd] root 0 0 0 ? SWN 22:00 0:00 [ksoftirqd_CPU0] root 0 0 0 ? SW 22:00 0:00 [kswapd] root 0 0 0 ? SW 22:00 0:00 [bdflush] root 0 0 0 ? SW 22:00 0:00 [kupdated] root 8 0 0 ? SW 22:00 0:00 [khubd] root 9 0 0 ? SW< 22:00 0:00 [mdrecoveryd]
Curiously enough /proc/3 is actually ksoftirqd_CPU0 /proc/4 is kswapd ... bdflush, kupdated
And on my system with ps-2003.9.... Those processes are numbered: root 3 0.0 0.0 0 0 ? SWN 15:38 0:00 [ksoftirqd_CPU0] root 4 0.0 0.0 0 0 ? SW 15:38 0:02 [kswapd] root 5 0.0 0.0 0 0 ? SW 15:38 0:00 [bdflush] root 6 0.0 0.0 0 0 ? SW 15:38 0:02 [kupdated] Looks like a bug in the ps-2003.11... rpm -- Richard Bos Without a home the journey is endless
On Sun, 1 Feb 2004 20:17:37 +0100 Hartmut Meyer <hartmut.meyer@web.de> wrote: Sorry to say I just checked and I have the same result: 4 modules hidden ps and top infected I've used apt4suse as well :(
Update... after reinstalling from DVD ps and top everything seems back to normal... no hidden modules no ps nor top infected. That *doesn't* seem reasonable! It seems that the chkrootkit is sensible to something. I doubt the modules disappeared suddenly just updating top or ps. Anyway I'm not an expert in security. I'll check if any explanation in chkrootkit docs... of course any help will be appreciated.
On Sunday 01 February 2004 09:49 am, David Herman wrote:
On Saturday 31 January 2004 11:14 pm, GarUlbricht7@netscape.net wrote:
I am surprized that you have not posted this on suse-security mailing list: http://www.suse.com/us/private/support/online_help/mailinglists/index .html
Or maybe you have and I just missed it.
----------snip-------- Actually I wasn't on that list until just now, I'll post there shortly unless someone beats me to it.
I was really hoping that checkroot was giving a false positive. I did fill out the webform at feedback.suse but who knows how long that will take.
see ya -- dh Don't shop at GoogleGear.com!
A couple notes: Have you checked your system logs? Did you have wither an tripwire or AIDE database prior? Check for deleted(possibly trojaned) executables via: # file /proc/[0-9]*/exe|grep '(deleted)' Also extract the binary version from the installation CD of ps,ls,who ----- commonly trojaned executables onto a floppy from another system. Write protect it! Then perform a compare of the valid(floppy) version against the possibly trojaned executable via: # cmp /media/floppy/valid_exec /bin/trojan_exec This will do a byte-by-byte comparison of both executables. You can search for the debugging symbols from the "trojaned" executable via: # nm trojan_exec | more Also check for any ascii text in the executable via: # strings -a trojan_exec | more HTH. thomas
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 01 February 2004 10:07 pm, Thomas Jones wrote: - ------------snip---------------
A couple notes:
Have you checked your system logs?
Didn't see anything terribly unusual (things in the log before the installation date look pretty much like they do after the install date) but I don't nescessarily know what I'm looking for.
Did you have wither an tripwire or AIDE database prior?
Niether, I have not gotten that far with my understanding of linux (I'm still trying figure out how to set up Samba between my 2 machines.) The Amiga I had before moving to linux didn't really have such tools available.
Check for deleted(possibly trojaned) executables via:
# file /proc/[0-9]*/exe|grep '(deleted)'
No result from this command
Also extract the binary version from the installation CD of ps,ls,who ----- commonly trojaned executables onto a floppy from another system. Write protect it!
Then perform a compare of the valid(floppy) version against the possibly trojaned executable via:
# cmp /media/floppy/valid_exec /bin/trojan_exec
This will do a byte-by-byte comparison of both executables.
I'll give it a try. It sounds like Arjen, Ivan and Richard have done quite alot of examination of the problem file.
You can search for the debugging symbols from the "trojaned" executable via:
# nm trojan_exec | more
I've got the "Good" previous versions of the command back on my machine currently so the output is what would be expected
Also check for any ascii text in the executable via:
# strings -a trojan_exec | more
Thanks for the ideas Thomas, I'll file those commands away for future reference. ps. I sent some info from this thread to the suse-security list this afternoon as Gar and Alex suggested. I'll pass along any definitive results that come from that. See ya - -- dh -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAHZ4lBwgxlylUsJARAqTXAJ4gB3Y6LwK22pSogDoHsER+JK4loACeM03m sHEbLe2i5mqf6Q5kp556zls= =hcQ4 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 01 February 2004 04:47 pm, David Herman wrote: So I got a mail to the suse-security list yesterday and recieved a couple of replies. Sounds like it is (most likely) a false positive. For those that are interested here are the 2 replies: ====================================== first from Sebastian Krahmer Hi, I think this is a false positive from chkrootkit. I downloaded the ps package from ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386 and indeed there is "/prof" string in ps and top. But this is ok. The string is inside .text and is executable code. This is: ... 0x8055205: call 0x8049700 strtoul() 0x805520a: mov 0xc(%ebp),%edx 0x805520d: mov %eax,0x1b8(%edx) 0x8055213: mov %eax,(%edx) 0x8055215: movl $0x6f72702f,(%esi) ; /prof 0x805521b: movw $0x2f63,0x4(%esi) 0x8055221: mov 0x226fc(%ebx),%eax 0x8055227: add $0xb,%eax 0x805522a: mov %eax,0x4(%esp,1) 0x805522e: lea 0x6(%esi),%eax 0x8055231: mov %eax,(%esp,1) 0x8055234: call 0x8049780 strcpy() ... The code in C is: pid = strtoul(ent->d_name, NULL, 10); memcpy(path, "/proc/", 6); strcpy(path+6, ent->d_name); and comes from the original ps source. The compiler optimized the memcpy() into a movl+movw since /pro is 32 bit and the left 2 byte are copied via movw. This just yields "/prof" string in .text. regards, Sebastian ============================================= Followed by this from Lenz Grimmer: Hi, JFYI, for those of you who are not on suse-security... Seems like it was (fortunately) a false alarm. But still, I too would appreciate if the packages in the "people" directory were signed at least with the developer's key. Bye, LenZ =============================================== So there you have it,much thanks to all who participated in this thread, If anyone knows more I'm still interested but It sounds like a false alarm. Have a great day - -- dh -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAHmeoBwgxlylUsJARArqtAJ9QcdZBR9AB2z9wVJr92FW7S5DsSgCdHgII 99Q+9pqwIXKAZowSe9MMTsk= =4FEa -----END PGP SIGNATURE-----
participants (8)
-
Anders Johansson -
David Herman -
GarUlbricht7@netscape.net -
Hartmut Meyer -
Ivan Sergio Borgonovo -
Paul W. Abrahams -
Richard Bos -
Thomas Jones