chkrootkit reports 'possible trojan horse' on KN3.4

**castrol** · 06-02-2004, 09:19 PM

Fetched chkrootkit ( wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz ) and ran on a newly installed Knopix 3.4 installed to harddisk. Excerped from the output:

...
Checking `bindshell'... not infected
Checking `lkm'... You have 4 process hidden for readdir command
You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
...

Should I worry about that?

chkrootkit is a tool to search for backdoor trojans.

Hilsener Henning

**Markus** · 06-03-2004, 07:06 PM

Could be just a bug with 2.6.x kernel and chkrootkit. Try booting with 2.4.x.
Have you tried: /usr/lib/chkrootkit/chkproc -v -v
Also: netstat -tap |grep LISTEN and nmap localhost. You could try netstat and nmap from another computer if the packages are compromised.
Bugreports for the debian package are in: http://bugs.debian.org/cgi-bin/pkgre...pkg=chkrootkit

PS: I'm not exactly an expert in this.
PS2: Kanotix which I'm running has chkrootkit. If Knoppix 3.4 hasn't you can install it with:
dselect update
apt-get -s install chkrootkit (remove the -s for simulation if the output is ok)

**castrol** · 06-03-2004, 10:37 PM

Thanks for your in-depth response, your no novice either

I have no less than 70! kernel modules in the 2.6.6 kernel at present, to me it seems like Knoppix just loads anything ( intel_agp-module shouldn't be present on an Athlon machine, should it?).

The chkrootkit bug report talks about false positives for LKM's on kernel 2.6.x ( see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=246667 )

I'll be back with a comment after a reboot (running 2.6.6 now), but basically this cr*pload of text below says that yp/nis and mozilla processes are hidden. The portscan does, as far as I can tell, not show anything suspicious, I am running YP/NIS.

********DATA FROM THE TESTS*********
. Portscan from other machine:
---
vagten:~# nmap kejseren
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on kejseren.slot (192.168.52.2):
(The 1548 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
68/tcp open dhcpclient
111/tcp open sunrpc
631/tcp open cups
947/tcp open unknown
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
---

Port 947 seems to be yp/nis, host 'kejseren' is a NIS/YP client.
---
root@kejseren:/home/henning# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100007 2 udp 944 ypbind
100007 1 udp 944 ypbind
100007 2 tcp 947 ypbind
100007 1 tcp 947 ypbind
---
root@kejseren:/home/henning# netstat -tap |grep LISTEN
tcp 0 0 *:bootpc *:* LISTEN 1356/pump
tcp 0 0 *:sunrpc *:* LISTEN 1360/portmap
tcp 0 0 *

11 *:* LISTEN 2171/X
tcp 0 0 *:947 *:* LISTEN 2038/ypbind
tcp 0 0 *:ipp *:* LISTEN 2089/cupsd
tcp6 0 0 *:ssh *:* LISTEN 2118/sshd

PID 2039: not in readdir output
PID 2039: not in ps output
CWD 2039: /var/yp/binding
EXE 2039: /usr/sbin/ypbind
PID 2040: not in readdir output
PID 2040: not in ps output
CWD 2040: /var/yp/binding
EXE 2040: /usr/sbin/ypbind
PID 2284: not in readdir output
PID 2284: not in ps output
CWD 2284: /home/henning
EXE 2284: /usr/lib/mozilla/mozilla-bin
PID 2287: not in readdir output
PID 2287: not in ps output
CWD 2287: /home/henning
EXE 2287: /usr/lib/mozilla/mozilla-bin
PID 2825: not in readdir output
PID 2825: not in ps output
CWD 2825: /home/henning
EXE 2825: /usr/lib/mozilla/mozilla-bin
PID 2886: not in readdir output
PID 2886: not in ps output
CWD 2886: /home/henning
EXE 2886: /usr/lib/mozilla/mozilla-bin
You have 6 process hidden for readdir command
You have 6 process hidden for ps command

**castrol** · 06-03-2004, 11:35 PM

Sure! Knoppix 3.4 kernel 2.4.x reports everything ok. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=246667 talks about this exactly being related to the 2.6.x kernel somehow. I'll say we'll declare it a bug in chkrootkit and no trojan. Thanks a lot.

**Markus** · 06-04-2004, 08:40 AM

For once I'm sure you're glad you've stumbled onto a bug!
If you want to be sure you could always download clean packages from debian to replace ones hidden from the ps-tree, check the md5sum on them, install over old packages and run chkrootkit. If the problem persists it's bound to be the bug.
But AFAIK your machine is clean.