[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] chkroot claims top infected



On Monday 02 February 2004 03:42 am, Sebastian Krahmer wrote:
> On Sun, 1 Feb 2004, dh wrote:
>
> Hi,
>
>
> I think this is a false positive from chkrootkit. I downloaded the ps
> package
> from ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386 and indeed
> there is "/prof" string in ps and top. But this is ok. The string
> is inside .text and is executable code. This is:
>
> ...
> 0x8055205:      call   0x8049700                        strtoul()
>
> 0x805520a:      mov    0xc(%ebp),%edx
> 0x805520d:      mov    %eax,0x1b8(%edx)
> 0x8055213:      mov    %eax,(%edx)
>
> 0x8055215:      movl   $0x6f72702f,(%esi)               ; /prof
> 0x805521b:      movw   $0x2f63,0x4(%esi)
>
> 0x8055221:      mov    0x226fc(%ebx),%eax
> 0x8055227:      add    $0xb,%eax
> 0x805522a:      mov    %eax,0x4(%esp,1)
> 0x805522e:      lea    0x6(%esi),%eax
> 0x8055231:      mov    %eax,(%esp,1)
>
> 0x8055234:      call   0x8049780                        strcpy()
> ...
>
>
> The code in C is:
>
>         pid = strtoul(ent->d_name, NULL, 10);
>         memcpy(path, "/proc/", 6);
>         strcpy(path+6, ent->d_name);
>
> and comes from the original ps source. The compiler optimized the
> memcpy() into a movl+movw since /pro is 32 bit and the left 2 byte
> are copied via movw. This just yields "/prof" string in .text.
>
>
> regards,
> Sebastian

Thanks for the detailed info Sebastian, I sure feel better
Have a great day.
-- 
dh

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here