[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] chkroot claims top infected

I brought up this issue on the SuSE English List (SLE) and it was
suggested that I should pass my information along to this list.

What follows is a cut and past of the thread from SLE...

I just ran chkroot (chkrootkit-0.43, Sat Dec 27 2003) and it gave the
        Checking `top'... INFECTED
        Checking `lkm'... You have 5 process hidden for ps command

I found these commands were in an rpm updated w/ synaptic recently,
ps_2003.11.17-18_i586.rpm. The file can be found at

top's size is 81.5kb and has a modified date of 2004-01-20
        #top -h
                top: procps version 3.1.14

As further investigation I installed the previous rpm
(ps-2003.9.20-6.i586.rpm) from SuSE and then ran checkroot again, this
time no errors were reported. Then reinstalled the rpm from the apt
repository and the errors appear again.

I know this doesn't mean that I haven't been rooted but it really points
a finger at the ps_2003.11.17-18_i586.rpm from
(the apt archive)
If so anyone using apt for their upgrades should be concerned about

Continuing my investigation I booted up my test machine w/ SuSE 9.0
ran checkrootkit and it showed all clean. Then I used synaptic and
updated ps (ps_2003.11.17-18_i586.rpm) and nothing else
then I ran chkroot again and the errors are there.

Anders Johansson wrote (from 3 separate messages):

chkrootkit is reacting to the string /prof in top. That string isn't in
the src.rpm, but it is in the binary. That alone is very suspicious. It
does look like kraxel's binaries are infected. I wonder what other
niceties are in the binaries in the apt repo

The suspicious ps package is identical on suse.com and on gwdg.de, so it
seems that if something has been compromised it's on suse.com.
The problem is in the "top" in the ps package from /pub/people/kraxel
The top binary in that contains the string "/prof", which chkrootkit
as a sign of an infected binary

That string isn't in the src.rpm from kraxel's directory, and if you
rebuild the rpm from that src.rpm you also won't see that string.

And finally a long quote from Ivan Sergio Borgonovo :

I've done all these things
Installed ps through apt
Installed ps from DVD
Compiled and installed ps from ftp.suse.com
Installed chkrootkit from source
Installed chkrootkit from apt

and the result ranged from no infected packages, no modules loaded to,
top or/and ps infected and hidden modules etc...

I doubt that just substituting 2 binaries I can "unload" trojan

I gave a look at the sources of chkrootkit and discovered which binary
was checking for "hidden" modules.
I discovered it has an option -v and got this output

stige:~ # chkproc -v
PID     3: not in ps output
PID     4: not in ps output
PID     5: not in ps output
PID     6: not in ps output
You have     4 process hidden for ps command

then I did...

// edited to fit in email
stige:~ # ps aux
root         1  620  256 ?        S    22:00   0:04 init [3]
root         2    0    0 ?        SW   22:00   0:00 [keventd]
root         0    0    0 ?        SWN  22:00   0:00 [ksoftirqd_CPU0]
root         0    0    0 ?        SW   22:00   0:00 [kswapd]
root         0    0    0 ?        SW   22:00   0:00 [bdflush]
root         0    0    0 ?        SW   22:00   0:00 [kupdated]
root         8    0    0 ?        SW   22:00   0:00 [khubd]
root         9    0    0 ?        SW<  22:00   0:00 [mdrecoveryd]

Curiously enough
/proc/3 is actually ksoftirqd_CPU0
/proc/4 is kswapd
... bdflush, kupdated

out of panic mode: reasonable???

So there you have it. I would love to post back to the SLE and apt4SuSE
lists that this is a non-issue but if there really is a problem then I
am sure that the great minds on this list will be able to help.

Thanks for your time and I do apologize if I've broken any etiquette, I
just don't have time to read the whole FAQ, or search the archives
right now .


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here