[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] chkroot claims top infected
On Sun, 1 Feb 2004, dh wrote:
I think this is a false positive from chkrootkit. I downloaded the ps
from ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386 and indeed
there is "/prof" string in ps and top. But this is ok. The string
is inside .text and is executable code. This is:
0x8055205: call 0x8049700 strtoul()
0x805520a: mov 0xc(%ebp),%edx
0x805520d: mov %eax,0x1b8(%edx)
0x8055213: mov %eax,(%edx)
0x8055215: movl $0x6f72702f,(%esi) ; /prof
0x805521b: movw $0x2f63,0x4(%esi)
0x8055221: mov 0x226fc(%ebx),%eax
0x8055227: add $0xb,%eax
0x805522a: mov %eax,0x4(%esp,1)
0x805522e: lea 0x6(%esi),%eax
0x8055231: mov %eax,(%esp,1)
0x8055234: call 0x8049780 strcpy()
The code in C is:
pid = strtoul(ent->d_name, NULL, 10);
memcpy(path, "/proc/", 6);
and comes from the original ps source. The compiler optimized the memcpy()
into a movl+movw since /pro is 32 bit and the left 2 byte are copied
via movw. This just yields "/prof" string in .text.
> I brought up this issue on the SuSE English List (SLE) and it was
> suggested that I should pass my information along to this list.
> What follows is a cut and past of the thread from SLE...
> I just ran chkroot (chkrootkit-0.43, Sat Dec 27 2003) and it gave the
> Checking `top'... INFECTED
> Checking `lkm'... You have 5 process hidden for ps command
> I found these commands were in an rpm updated w/ synaptic recently,
> ps_2003.11.17-18_i586.rpm. The file can be found at
> top's size is 81.5kb and has a modified date of 2004-01-20
> #top -h
> top: procps version 3.1.14
> As further investigation I installed the previous rpm
> (ps-2003.9.20-6.i586.rpm) from SuSE and then ran checkroot again, this
> time no errors were reported. Then reinstalled the rpm from the apt
> repository and the errors appear again.
> I know this doesn't mean that I haven't been rooted but it really points
> a finger at the ps_2003.11.17-18_i586.rpm from
> (the apt archive)
> If so anyone using apt for their upgrades should be concerned about
> Continuing my investigation I booted up my test machine w/ SuSE 9.0
> ran checkrootkit and it showed all clean. Then I used synaptic and
> updated ps (ps_2003.11.17-18_i586.rpm) and nothing else
> then I ran chkroot again and the errors are there.
> Anders Johansson wrote (from 3 separate messages):
> chkrootkit is reacting to the string /prof in top. That string isn't in
> the src.rpm, but it is in the binary. That alone is very suspicious. It
> does look like kraxel's binaries are infected. I wonder what other
> niceties are in the binaries in the apt repo
> The suspicious ps package is identical on suse.com and on gwdg.de, so it
> seems that if something has been compromised it's on suse.com.
> The problem is in the "top" in the ps package from /pub/people/kraxel
> The top binary in that contains the string "/prof", which chkrootkit
> as a sign of an infected binary
> That string isn't in the src.rpm from kraxel's directory, and if you
> rebuild the rpm from that src.rpm you also won't see that string.
> And finally a long quote from Ivan Sergio Borgonovo :
> I've done all these things
> Installed ps through apt
> Installed ps from DVD
> Compiled and installed ps from ftp.suse.com
> Installed chkrootkit from source
> Installed chkrootkit from apt
> and the result ranged from no infected packages, no modules loaded to,
> top or/and ps infected and hidden modules etc...
> I doubt that just substituting 2 binaries I can "unload" trojan
> I gave a look at the sources of chkrootkit and discovered which binary
> was checking for "hidden" modules.
> I discovered it has an option -v and got this output
> stige:~ # chkproc -v
> PID 3: not in ps output
> PID 4: not in ps output
> PID 5: not in ps output
> PID 6: not in ps output
> You have 4 process hidden for ps command
> then I did...
> // edited to fit in email
> stige:~ # ps aux
> USER PID VSZ RSS TTY STAT START TIME COMMAND
> root 1 620 256 ? S 22:00 0:04 init 
> root 2 0 0 ? SW 22:00 0:00 [keventd]
> root 0 0 0 ? SWN 22:00 0:00 [ksoftirqd_CPU0]
> root 0 0 0 ? SW 22:00 0:00 [kswapd]
> root 0 0 0 ? SW 22:00 0:00 [bdflush]
> root 0 0 0 ? SW 22:00 0:00 [kupdated]
> root 8 0 0 ? SW 22:00 0:00 [khubd]
> root 9 0 0 ? SW< 22:00 0:00 [mdrecoveryd]
> Curiously enough
> /proc/3 is actually ksoftirqd_CPU0
> /proc/4 is kswapd
> ... bdflush, kupdated
> out of panic mode: reasonable???
> So there you have it. I would love to post back to the SLE and apt4SuSE
> lists that this is a non-issue but if there really is a problem then I
> am sure that the great minds on this list will be able to help.
> Thanks for your time and I do apologize if I've broken any etiquette, I
> just don't have time to read the whole FAQ, or search the archives
> right now .
~ perl self.pl
~ krahmer@xxxxxxx - SuSE Security Team
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here