View Full Version : chkrootkit reports 'possible trojan horse' on KN3.4
castrol
06-02-2004, 09:19 PM
Fetched chkrootkit ( wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz ) and ran on a newly installed Knopix 3.4 installed to harddisk. Excerped from the output:
...
Checking `bindshell'... not infected
Checking `lkm'... You have 4 process hidden for readdir command
You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
...
Should I worry about that?
chkrootkit is a tool to search for backdoor trojans.
Hilsener Henning
Markus
06-03-2004, 07:06 PM
Could be just a bug with 2.6.x kernel and chkrootkit. Try booting with 2.4.x.
Have you tried: /usr/lib/chkrootkit/chkproc -v -v
Also: netstat -tap |grep LISTEN and nmap localhost. You could try netstat and nmap from another computer if the packages are compromised.
Bugreports for the debian package are in: http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=chkrootkit
PS: I'm not exactly an expert in this.
PS2: Kanotix which I'm running has chkrootkit. If Knoppix 3.4 hasn't you can install it with:
dselect update
apt-get -s install chkrootkit (remove the -s for simulation if the output is ok)
castrol
06-03-2004, 10:37 PM
Thanks for your in-depth response, your no novice either :lol: I have no less than 70! kernel modules in the 2.6.6 kernel at present, to me it seems like Knoppix just loads anything ( intel_agp-module shouldn't be present on an Athlon machine, should it?).
The chkrootkit bug report talks about false positives for LKM's on kernel 2.6.x ( see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=246667 )
I'll be back with a comment after a reboot (running 2.6.6 now), but basically this cr*pload of text below says that yp/nis and mozilla processes are hidden. The portscan does, as far as I can tell, not show anything suspicious, I am running YP/NIS.
********DATA FROM THE TESTS*********
. Portscan from other machine:
---
vagten:~# nmap kejseren
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on kejseren.slot (192.168.52.2):
(The 1548 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
68/tcp open dhcpclient
111/tcp open sunrpc
631/tcp open cups
947/tcp open unknown
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
---
Port 947 seems to be yp/nis, host 'kejseren' is a NIS/YP client.
---
root@kejseren:/home/henning# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100007 2 udp 944 ypbind
100007 1 udp 944 ypbind
100007 2 tcp 947 ypbind
100007 1 tcp 947 ypbind
---
root@kejseren:/home/henning# netstat -tap |grep LISTEN
tcp 0 0 *:bootpc *:* LISTEN 1356/pump
tcp 0 0 *:sunrpc *:* LISTEN 1360/portmap
tcp 0 0 *:x11 *:* LISTEN 2171/X
tcp 0 0 *:947 *:* LISTEN 2038/ypbind
tcp 0 0 *:ipp *:* LISTEN 2089/cupsd
tcp6 0 0 *:ssh *:* LISTEN 2118/sshd
PID 2039: not in readdir output
PID 2039: not in ps output
CWD 2039: /var/yp/binding
EXE 2039: /usr/sbin/ypbind
PID 2040: not in readdir output
PID 2040: not in ps output
CWD 2040: /var/yp/binding
EXE 2040: /usr/sbin/ypbind
PID 2284: not in readdir output
PID 2284: not in ps output
CWD 2284: /home/henning
EXE 2284: /usr/lib/mozilla/mozilla-bin
PID 2287: not in readdir output
PID 2287: not in ps output
CWD 2287: /home/henning
EXE 2287: /usr/lib/mozilla/mozilla-bin
PID 2825: not in readdir output
PID 2825: not in ps output
CWD 2825: /home/henning
EXE 2825: /usr/lib/mozilla/mozilla-bin
PID 2886: not in readdir output
PID 2886: not in ps output
CWD 2886: /home/henning
EXE 2886: /usr/lib/mozilla/mozilla-bin
You have 6 process hidden for readdir command
You have 6 process hidden for ps command
castrol
06-03-2004, 11:35 PM
Sure! Knoppix 3.4 kernel 2.4.x reports everything ok. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=246667 talks about this exactly being related to the 2.6.x kernel somehow. I'll say we'll declare it a bug in chkrootkit and no trojan. Thanks a lot.
Markus
06-04-2004, 08:40 AM
For once I'm sure you're glad you've stumbled onto a bug!
If you want to be sure you could always download clean packages from debian to replace ones hidden from the ps-tree, check the md5sum on them, install over old packages and run chkrootkit. If the problem persists it's bound to be the bug.
But AFAIK your machine is clean.
Powered by vBulletin® Version 4.2.2 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.