[CLUE-Tech] Suse 9.1pro and chkrootkit
Timothy Klein
teece at silverklein.net
Tue Jul 27 00:32:00 MDT 2004
On Monday 26 ShortJuly 2004 11:24 pm, j7s12b wrote:
> Hi!
> I have been using Suse 9.1pro for ~ a month now and it's
> not bad. Today I ran a fresh chkrootkit and it turned up some
> problems.
> -----------------------------------
> # ./chkrootkit
> ....
> Checking `find'... INFECTED
> Checking `top'... INFECTED
These look like a major problem. Have you tried running 'strings' on these
binaries to see if anything wonky spits out? (Assuming strings isn't
trojaned, too.). These two would make me nervous. Get your original package
sources for these programs and compare the binaries with the original (vs.
size and MD5 and strings).
> Checking `lkm'... You have 8 process hidden for readdir command
> You have 8 process hidden for ps command
> Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'... eth0: PF_PACKET(/sbin/dhcpcd)
I wouldn't worry about these, unless you have no idea why the running
processes are in memory. The new threading stuff confuses the hell out of
checkrootkit. DHCPD has to put the network card in promiscus mode to listen
to everything on the wire.
Tim
--
== Timothy Klein || teece at silverklein.net
== Vanity Page: http://tinyurl.com/vkhp
== ----------------------------------------
== Hello_World.c: 17 Errors, 31 Warnings...
More information about the clue-tech
mailing list