On Fri, Feb 28, 2003 at 09:24:37PM +0100, Felipe Alfaro Solana wrote:
> Hello!
>
> This is a message forwarded from Red Hat's Phoebe (8.1) Linux
> Beta. It seems that some of us, when running "chkrootkit" rootkit
> checker, are getting consistent errors complaining that we have
> hidden processes from the "ps" command and "procfs".
>
> Can you please help us disguise what's happening?
> If so, keep reading :-)
>
> ----- Original Message -----
> From: David McKellar <djmcke@yahoo.com>
> Date: Fri, 28 Feb 2003 09:33:15 -0800 (PST)
> To: phoebe-list@redhat.com
> Subject: Re: chkrootkit on phoebe
>
> > It says I have LKM also:
> >
> > Checking `lkm'... You have 12 process hidden for readdir command
> > You have 12 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> >
> > My system is on the net all the time so it could very well be infected.
>
> I have done some research and this is what I've found:
>
> Recompiling (get paranoid) chkrootkit creates a separate binary called
> "chkproc" that allows you to search for hidden processes. Running
> "chkproc -v" on my system reveals this:
>
> ID 1364: not in readdir output
> PID 1364: not in ps output
> PID 1365: not in readdir output
> PID 1365: not in ps output
> PID 1366: not in readdir output
> PID 1366: not in ps output
> You have 3 process hidden for readdir command
> You have 3 process hidden for ps command
>
> My computer is behind a firewall that filters all ports < 1023 and I'm a
> very paranoic person, so I really doubt I have got infected by a trojan.
>
> In my case, I've found the culprit to be "Evolution": while running
> Evolution, there are 3 or more processes not being displayed by the
> "ps" command, or even listed under "/proc., but they are accessible by
> "cd"-ing to them. If I quit "Evolution", running "./chkproc -v" again does
> not generate those warnings.
>
> I think this is related to changes in PID/TID handling by recent kernels.
> If my memory serves me well, each thread of a process is given a
> unique ID (the Thread ID) which is assigned from the same pool as the
> PID, so, there was a time when you could see threads from the output
> of the "ps" command. I think this behaviour has changed, and now, you
> can't directly see threads by using "ps" or reading from "/proc". However,
> the TID number is still reserved from the same pool as PIDs, although
> it won't be listed in "/proc". For whatever reason it be, it seems that "procfs"
> still allows one to "cd" to the directory entry of a thread by using the
> Thread ID (TID), so this could be the culprit of the problem. Since
> "chkproc" tries "cd"-ing the hard way into all possible combinations of
> directories from within "/proc", "chkproc" is in fact "seeing" was should be
> hidden: the entries for threads.
>
> This problem is reproducible on 2.4.20-2.54 and 2.5.63-mm1.
>
> Can any kernel guru help us here? Am we right? Are we infected?
>
> Thanks!
>
> Felipe Alfaro Solana
>
> --
> ______________________________________________
> http://www.linuxmail.org/
> Now with e-mail forwarding for only US$5.95/yr
>
> Powered by Outblaze
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
-- Daniel Jacobowitz MontaVista Software Debian GNU/Linux Developer - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/