[CLUE-Tech] Suse 9.1pro and chkrootkit
Nate Duehr
nate at natetech.com
Tue Jul 27 03:52:28 MDT 2004
On Monday 26 July 2004 23:24, j7s12b wrote:
> Hi!
> I have been using Suse 9.1pro for ~ a month now and it's
> not bad. Today I ran a fresh chkrootkit and it turned up some
> problems.
> -----------------------------------
> # ./chkrootkit
> ....
> Checking `find'... INFECTED
> Checking `top'... INFECTED
I have the same thing on a SuSE 9.1 that's probably not infected. (It's the
laptop, has always lived on "internal" networks and has no ports other than
the bare minimum necessary open to do work on it.
> Checking `lkm'... You have 8 process hidden for readdir command
> You have 8 process hidden for ps command
> Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'... eth0: PF_PACKET(/sbin/dhcpcd)
I only have 6 processes hidden, but...
>
> Running the command # ./chkrootkit -x lkm provides this info
> (I edited the output for brevity.)
>
> ROOTDIR is `/'
> ###
> ### Output of: ./chkproc -v -v
> ###
> EXE 6167: /usr/sbin/nscd
> EXE 6168: /usr/sbin/nscd
> EXE 6169: /usr/sbin/nscd
> EXE 6170: /usr/sbin/nscd
> EXE 6171: /usr/sbin/nscd
> EXE 7082: /opt/kde3/bin/suseplugger
I don't have the two mozilla lines below because mozilla's not running right
now.
> EXE 31421: /opt/mozilla/lib/mozilla-bin
> EXE 31424: /opt/mozilla/lib/mozilla-bin
> Im still not convinced that the system is OK or rooted and I may
> just reinstall anyhoo but would any one with Suse9.1 care to verify
> this on their end? (http://www.chkrootkit.org/)
I think you're "okay". This machine I'm testing on isn't a 100% pristine load
of SuSE at this point, but it's only been loaded a couple of months and only
used on three internal networks since then -- only one of which I would have
considered "untrusted" and that was the network at DeVry North at the last
CLUE meeting. ;-)
Looks like you have the same false positives I do, if that sets your mind at
ease.
--
Nate Duehr, nate at natetech.com
More information about the clue-tech
mailing list