Re: Trojan or Virus?
From: Fritz Bayer (fritz-bayer_at_web.de)
Date: 19 Jul 2004 13:14:18 -0700
Lew Pitcher <Lew.Pitcher@td.com> wrote in message news:<m1PKc.11270$Gf7.email@example.com>...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Fritz Bayer wrote:
> > Hi,
> > today I read in a book how to check for possible intrusions. I
> > executed the following command to see whether or not some processes do
> > not show up using ps:
> > ls -d /proc/* |grep [0-9]|wc -l; ps ax|wc -l
> > 99
> > 100
> > How come that there exists this discrapancy
> The discrepency exists because of the way you ran the check
> > and should I be worried about this?
> > I mean there is one more process in the process list than
> > in the ps list.
> Not really. You miscounted.
Are you sure - I typed this down from an oreilly book and on another
remote system the two numbers always turn out to be equal!
> > If it was a trojan I guess it should be the oposite (hiding from ps).
> Analyze it.
> First off, assume that there is a constant number of processes running in your
> system, excluding the processes you used in order to check the process count.
> ls -d /proc/* |grep [0-9]|wc -l
> adds three processes to that constant (an "ls" process, a "grep" process, and a
> "wc" process). This pipeline reports N+3 processes
> ps ax|wc -l
> adds two processes to the constant number of processes (a "ps" process and a
> "wc" process). Since this pipeline is run after the first pipeline completes, it
> doesnt count the first pipeline's processes. So, this pipeline reports N+2
> N+3 > N+2
> N !> N
> As for chkrootkit, this seems to be a spurious response because some processes
> (like Nautilus) hide a number of their child processes. The LKLM response has
> been discussed to death, and you can google for the relevant information.
> - --
> Lew Pitcher
> IT Consultant, Enterprise Application Architecture,
> Enterprise Technology Solutions, TD Bank Financial Group
> (Opinions expressed are my own, not my employers')
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (MingW32)
> -----END PGP SIGNATURE-----