Re: Bug in chkrootkit ?
From: Alex 'CAVE' Cernat (cave_at_cernat.ro)
Date: 07/30/03
- Previous message: Todd Mitchell - lists: "RE: Bug in chkrootkit ?"
- In reply to: Michael Weber: "Bug in chkrootkit ?"
- Next in thread: Juraj Ziegler: "Re: Bug in chkrootkit ?"
- Reply: Juraj Ziegler: "Re: Bug in chkrootkit ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Jul 2003 19:52:13 +0300 To: security-basics@securityfocus.com
> "You have 4 process hidden for ps command" and the hint for a probably
> installed "LKM Rootkit". So far, so good. "chkproc" with verbose
> option enabled (-v) say:
>
> [mw@zeus chkrootkit-0.38]# ./chkproc -v
> PID 26194: not in ps output
> PID 26195: not in ps output
> PID 26196: not in ps output
> PID 26197: not in ps output
> You have 4 process hidden for ps command
>
try a better thing:
ls -l /proc/$pid/exe - this command will give you the real path of the
executable 'name', which can be even '/usr/man/man1/xxx/whatever/named'
also you can try ls -l /proc/$pid/fd/ - list of file descriptors opened
by process $pid
i had a server cracked and chrootkit report me 2 process hidden; and
they we're on my system, hidden for ps and top, but not enough hidden
for absolute path
i'm not sure, but i believe that a lkm is clever enough (ie. very good
programmed), it can really 'wipe' a file/process/??? from the system, so
it's hard sometimes to diagnose your server
Alex
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Todd Mitchell - lists: "RE: Bug in chkrootkit ?"
- In reply to: Michael Weber: "Bug in chkrootkit ?"
- Next in thread: Juraj Ziegler: "Re: Bug in chkrootkit ?"
- Reply: Juraj Ziegler: "Re: Bug in chkrootkit ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
