[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SuSE 9.1 Pro and Chkrootkit



We have seen this question before. 
somehow ps is probably not giving the right answers to chkrootkit.

On Sunday 02 May 2004 13:15, Stefan Onken wrote:

> Checking `lkm'... You have     8 process hidden for readdir command
> You have     8 process hidden for ps command
> Warning: Possible LKM Trojan installed

Below my message of the 10th of feb.


> Hi,
> 
> > Is this an issue or is chkroot being fooled by the newer version?
> > I'm also curious about the "Checking `lkm'... You have 5 process hidden
> > for ps command" result. Whats up with that?
> 
> I don't know what chkrootkit has with top, but the ps is broken I think.
> 
> Observe:
> # ./chkrootkit -x lkm
> ROOTDIR is `/'
> ###
> ### Output of: ./chkproc -v -v
> ###
> PID     4: not in ps output
> CWD     4: /
> EXE     4: /
> PID     5: not in ps output
> CWD     5: /
> EXE     5: /
> PID     6: not in ps output
> CWD     6: /
> EXE     6: /
> PID     7: not in ps output
> CWD     7: /
> EXE     7: /
> PID     8: not in ps output
> CWD     8: /
> EXE     8: /
> You have     5 process hidden for ps command# ps ax
> 
> 
> And now ps ax (not the whole thing)
>   PID TTY      STAT   TIME COMMAND
>     1 ?        S      0:04 init [5]
>     2 ?        SW     0:00 [keventd]
>     3 ?        SW     0:00 [kapmd]
>     0 ?        SWN    0:00 [ksoftirqd_CPU0]
>     0 ?        SW     0:02 [kswapd]
>     0 ?        SW     0:00 [bdflush]
>     0 ?        SW     0:00 [kupdated]
>     0 ?        SW     0:00 [kinoded]
>     9 ?        SW     0:00 [mdrecoveryd]
>    17 ?        SW<    0:00 [lvm-mpd]
>    25 ?        SW     0:01 [kjournald]
> 
> ps gives a pid of 0 for 5 processes.
> 
> So that ps version has a bug.
> 
> BB, Arjen

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here