[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] chkroot claims top infected



On Sun, 1 Feb 2004, dh wrote:

Hi,


I think this is a false positive from chkrootkit. I downloaded the ps 
package
from ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386 and indeed
there is "/prof" string in ps and top. But this is ok. The string
is inside .text and is executable code. This is:

...
0x8055205:      call   0x8049700                        strtoul()

0x805520a:      mov    0xc(%ebp),%edx
0x805520d:      mov    %eax,0x1b8(%edx)
0x8055213:      mov    %eax,(%edx)

0x8055215:      movl   $0x6f72702f,(%esi)               ; /prof
0x805521b:      movw   $0x2f63,0x4(%esi)

0x8055221:      mov    0x226fc(%ebx),%eax
0x8055227:      add    $0xb,%eax
0x805522a:      mov    %eax,0x4(%esp,1)
0x805522e:      lea    0x6(%esi),%eax
0x8055231:      mov    %eax,(%esp,1)

0x8055234:      call   0x8049780                        strcpy()
...


The code in C is:

        pid = strtoul(ent->d_name, NULL, 10);
        memcpy(path, "/proc/", 6);
        strcpy(path+6, ent->d_name);

and comes from the original ps source. The compiler optimized the memcpy()
into a movl+movw since /pro is 32 bit and the left 2 byte are copied
via movw. This just yields "/prof" string in .text.


regards,
Sebastian


> I brought up this issue on the SuSE English List (SLE) and it was
> suggested that I should pass my information along to this list.
> 
> What follows is a cut and past of the thread from SLE...
> 
> I just ran chkroot (chkrootkit-0.43, Sat Dec 27 2003) and it gave the
> results
>         Checking `top'... INFECTED
> and
>         Checking `lkm'... You have 5 process hidden for ps command
> 
> I found these commands were in an rpm updated w/ synaptic recently,
> ps_2003.11.17-18_i586.rpm. The file can be found at
> ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386/RPMS.suse-people
> 
> top's size is 81.5kb and has a modified date of 2004-01-20
>         #top -h
>                 top: procps version 3.1.14
> 
> As further investigation I installed the previous rpm
> (ps-2003.9.20-6.i586.rpm) from SuSE and then ran checkroot again, this
> time no errors were reported. Then reinstalled the rpm from the apt
> repository and the errors appear again.
> 
> I know this doesn't mean that I haven't been rooted but it really points
> a finger at the ps_2003.11.17-18_i586.rpm from
> ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386/RPMS.suse-people
> (the apt archive)
> If so anyone using apt for their upgrades should be concerned about
> this.
> 
> Continuing my investigation I booted up my test machine w/ SuSE 9.0
> ran checkrootkit and it showed all clean. Then I used synaptic and
> updated ps (ps_2003.11.17-18_i586.rpm) and nothing else
> then I ran chkroot again and the errors are there.
> 
> Anders Johansson wrote (from 3 separate messages):
> 
> chkrootkit is reacting to the string /prof in top. That string isn't in
> the src.rpm, but it is in the binary. That alone is very suspicious. It
> does look like kraxel's binaries are infected. I wonder what other
> niceties are in the binaries in the apt repo
> 
> The suspicious ps package is identical on suse.com and on gwdg.de, so it
> seems that if something has been compromised it's on suse.com.
> The problem is in the "top" in the ps package from /pub/people/kraxel
> The top binary in that contains the string "/prof", which chkrootkit
> detects
> as a sign of an infected binary
> 
> That string isn't in the src.rpm from kraxel's directory, and if you
> rebuild the rpm from that src.rpm you also won't see that string.
> 
> And finally a long quote from Ivan Sergio Borgonovo :
> 
> I've done all these things
> Installed ps through apt
> Installed ps from DVD
> Compiled and installed ps from ftp.suse.com
> Installed chkrootkit from source
> Installed chkrootkit from apt
> 
> and the result ranged from no infected packages, no modules loaded to,
> top or/and ps infected and hidden modules etc...
> 
> I doubt that just substituting 2 binaries I can "unload" trojan
> modules.
> 
> I gave a look at the sources of chkrootkit and discovered which binary
> was checking for "hidden" modules.
> I discovered it has an option -v and got this output
> 
> stige:~ # chkproc -v
> PID     3: not in ps output
> PID     4: not in ps output
> PID     5: not in ps output
> PID     6: not in ps output
> You have     4 process hidden for ps command
> 
> then I did...
> 
> // edited to fit in email
> stige:~ # ps aux
> USER       PID  VSZ  RSS TTY      STAT START   TIME COMMAND
> root         1  620  256 ?        S    22:00   0:04 init [3]
> root         2    0    0 ?        SW   22:00   0:00 [keventd]
> root         0    0    0 ?        SWN  22:00   0:00 [ksoftirqd_CPU0]
> root         0    0    0 ?        SW   22:00   0:00 [kswapd]
> root         0    0    0 ?        SW   22:00   0:00 [bdflush]
> root         0    0    0 ?        SW   22:00   0:00 [kupdated]
> root         8    0    0 ?        SW   22:00   0:00 [khubd]
> root         9    0    0 ?        SW<  22:00   0:00 [mdrecoveryd]
> 
> Curiously enough
> /proc/3 is actually ksoftirqd_CPU0
> /proc/4 is kswapd
> ... bdflush, kupdated
> 
> out of panic mode: reasonable???
> 
> So there you have it. I would love to post back to the SLE and apt4SuSE
> lists that this is a non-issue but if there really is a problem then I
> am sure that the great minds on this list will be able to help.
> 
> Thanks for your time and I do apologize if I've broken any etiquette, I
> just don't have time to read the whole FAQ, or search the archives
> right now .
> 
> 
> 
> --
> dh
> 
> 

-- 
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@xxxxxxx - SuSE Security Team
~


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here