[CLUE-Tech] Suse 9.1pro and chkrootkit
j7s12b
j7s12b at comcast.net
Mon Jul 26 23:24:27 MDT 2004
Hi!
I have been using Suse 9.1pro for ~ a month now and it's
not bad. Today I ran a fresh chkrootkit and it turned up some
problems.
-----------------------------------
# ./chkrootkit
....
Checking `find'... INFECTED
Checking `top'... INFECTED
.....
Checking `lkm'... You have 8 process hidden for readdir command
You have 8 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhcpcd)
Running the command # ./chkrootkit -x lkm provides this info
(I edited the output for brevity.)
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
EXE 6167: /usr/sbin/nscd
EXE 6168: /usr/sbin/nscd
EXE 6169: /usr/sbin/nscd
EXE 6170: /usr/sbin/nscd
EXE 6171: /usr/sbin/nscd
EXE 7082: /opt/kde3/bin/suseplugger
EXE 31421: /opt/mozilla/lib/mozilla-bin
EXE 31424: /opt/mozilla/lib/mozilla-bin
You have 8 process hidden for readdir command
You have 8 process hidden for ps command
----------------------------------
I spent most of the day researching and poking at the box
but there are reports that Suse turns up false positives like this.
I also ran rkhunter and kern_check.c.
rkhunter didn't turn up anything intersting and I don't quite
understand the output of kern_check yet but it did not issue
any warnings.
Im still not convinced that the system is OK or rooted and I may
just reinstall anyhoo but would any one with Suse9.1 care to verify
this on their end? (http://www.chkrootkit.org/)
thanks
J.
More information about the clue-tech
mailing list