Re: Message in chkrootkit.

From: Doug Laidlaw (laidlaws_at_myaccess.com.au)
Date: 07/09/05


Date: Sat, 09 Jul 2005 16:39:23 +1000

Bill Marcum wrote:

> On Fri, 08 Jul 2005 12:36:40 +1000, Doug Laidlaw
> <laidlaws@myaccess.com.au> wrote:
>> Using Mandrake 10.1 on ADSL with GuardDog. I KNOW that I am open to
>> hackers, at least. With my computer switched off, I could see the
>> incoming
>> data light up my ADSL modem. I am looking for a way to reformat
>> everything
>> yet keep essential data. In the meantime, I am keeping off the Net
>> except
>> for a few seconds. At least my Windows firewall allows access on a per
>> program basis.
>>
>> But I am here to ask about what chkrootkit shows:
>>
>> Checking `sniffer'... /proc/5728/fd: No such file or directory
>>
>> That is the only result that isn't "not infected" or "nothing found".
>> Doing an ls on /proc/5728, I get:
>>
>> ls: cannot read symbolic link cwd: No such file or directory
>> ls: cannot read symbolic link root: No such file or directory
>> ls: cannot read symbolic link exe: No such file or directory
>> attr/ cmdline environ fd/ mem root@ statm task/
>> auxv cwd@ exe@ maps mounts stat status wchan
>>
>> Never really having looked at /proc before, I don't know if the broken
>> links are significant, but they are all suspicious.
>>
> You didn't do ls -l to see the names of those nonexistent links?
>
>
Yes, I did, The other thing, as I noticed later, is that a directory ld/ is
listed there, but chkrootkit says it wasn't. Was it perhaps created in the
meantime?

In the reinstalled system, the directory /proc/5728 doesn't exist. What are
the numbers? Process numbers perhaps? It is my newbie understanding that
everything in /proc represents something of the nature of a process. Top
started a minute or two ago was No. 13800, and the highest number in
"ls /proc" is 13896, so that seems right.

A lot of similar directories have those links and they are valid. Cwd and
root point to "//" where the first slash is blue (a directory) and the
second is gray. exe points to /sbin/init. I remember seeing those in
other directories at the time, but the ones in 5728 went nowhere. I didn't
realize the distinction at the time. The first directory I chose to look
at just now wasn't there, but the process may have gone in the interim.

Doug L.

-- 
ICQ Number 178748389. Registered Linux User No. 277548.
Black as the devil, hot as hell,
Pure as an angel, sweet as love.
        -- Talleyrand's recipe for coffee.