Re: Trojan or Virus?

From: Fritz Bayer (fritz-bayer_at_web.de)
Date: 07/19/04


Date: 19 Jul 2004 13:14:18 -0700

Lew Pitcher <Lew.Pitcher@td.com> wrote in message news:<m1PKc.11270$Gf7.268815@news20.bellglobal.com>...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Fritz Bayer wrote:
>
> > Hi,
> >
> > today I read in a book how to check for possible intrusions. I
> > executed the following command to see whether or not some processes do
> > not show up using ps:
> >
> > ls -d /proc/* |grep [0-9]|wc -l; ps ax|wc -l
> > 99
> > 100
> >
> > How come that there exists this discrapancy
>
> The discrepency exists because of the way you ran the check
>
> > and should I be worried about this?
>
> No.
>
> > I mean there is one more process in the process list than
> > in the ps list.
>
> Not really. You miscounted.
>

Are you sure - I typed this down from an oreilly book and on another
remote system the two numbers always turn out to be equal!

> > If it was a trojan I guess it should be the oposite (hiding from ps).
>
> Analyze it.
>
> First off, assume that there is a constant number of processes running in your
> system, excluding the processes you used in order to check the process count.
>
> Now,
> ls -d /proc/* |grep [0-9]|wc -l
> adds three processes to that constant (an "ls" process, a "grep" process, and a
> "wc" process). This pipeline reports N+3 processes
>
> OTOH,
> ps ax|wc -l
> adds two processes to the constant number of processes (a "ps" process and a
> "wc" process). Since this pipeline is run after the first pipeline completes, it
> doesnt count the first pipeline's processes. So, this pipeline reports N+2
> processes.
>
> N+3 > N+2
>
> but
> N !> N
>
> [snip]
> As for chkrootkit, this seems to be a spurious response because some processes
> (like Nautilus) hide a number of their child processes. The LKLM response has
> been discussed to death, and you can google for the relevant information.
>
> - --
> Lew Pitcher
> IT Consultant, Enterprise Application Architecture,
> Enterprise Technology Solutions, TD Bank Financial Group
>
> (Opinions expressed are my own, not my employers')
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (MingW32)
>
> iD8DBQFA+71IagVFX4UWr64RAtkvAJ4uThOgqs+46E1jA7MLrk1SCK309wCeJvUd
> q5dMgb5nj22h5W09NjIZtVE=
> =13zv
> -----END PGP SIGNATURE-----