[CLUE-Tech] Suse 9.1pro and chkrootkit

Tue Jul 27 03:52:28 MDT 2004

On Monday 26 July 2004 23:24, j7s12b wrote:
> Hi!
> I have been using Suse 9.1pro for ~ a month now and it's
> not bad. Today I ran a fresh chkrootkit and it turned up some
> problems.
> -----------------------------------
> # ./chkrootkit
> ....
> Checking `find'... INFECTED
> Checking `top'... INFECTED

I have the same thing on a SuSE 9.1 that's probably not infected.  (It's the 
laptop, has always lived on "internal" networks and has no ports other than 
the bare minimum necessary open to do work on it.

> Checking `lkm'... You have     8 process hidden for readdir command
> You have     8 process hidden for ps command
> Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'... eth0: PF_PACKET(/sbin/dhcpcd)

I only have 6 processes hidden, but...

>
> Running the command # ./chkrootkit -x lkm  provides this info
> (I edited the output for brevity.)
>
> ROOTDIR is `/'
> ###
> ### Output of: ./chkproc -v -v
> ###
> EXE  6167: /usr/sbin/nscd
> EXE  6168: /usr/sbin/nscd
> EXE  6169: /usr/sbin/nscd
> EXE  6170: /usr/sbin/nscd
> EXE  6171: /usr/sbin/nscd
> EXE  7082: /opt/kde3/bin/suseplugger

I don't have the two mozilla lines below because mozilla's not running right 
now.

> EXE 31421: /opt/mozilla/lib/mozilla-bin
> EXE 31424: /opt/mozilla/lib/mozilla-bin

> Im still not convinced that the system is OK or rooted and I may
> just reinstall anyhoo but would any one with Suse9.1 care to verify
> this on their end? (http://www.chkrootkit.org/)

I think you're "okay".  This machine I'm testing on isn't a 100% pristine load 
of SuSE at this point, but it's only been loaded a couple of months and only 
used on three internal networks since then -- only one of which I would have 
considered "untrusted" and that was the network at DeVry North at the last 
CLUE meeting.  ;-) 

Looks like you have the same false positives I do, if that sets your mind at 
ease.

--
Nate Duehr, nate at natetech.com