Test with Chkrootkit
Michael Schwendt
fedora at wir-sind-cool.org
Sun Jul 25 17:09:02 UTC 2004
On Sun, 25 Jul 2004 12:14:46 -0400, Scot L. Harris wrote:
> On Sun, 2004-07-25 at 11:52, Norman Nunn wrote:
> > I got the following indicators:
> >
> > ls INFECTED
> > 22 process hidden for readdir command
> > 22 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> >
> > The number of hidden command changes.
> >
> > Thanks for your input.
> >
>
> chkrootkit reports 11 hidden processes on my laptop. But that number
> may vary depending on what you are running.
>
> Of more concern is the ls INFECTED output in your partial report.
> See if you can get a good copy of ls and compare the byte size, md5sum
> and permissions on it. Below is what my system reports.
>
> -rwxr-xr-x 1 root root 80688 May 4 12:26 /bin/ls
>
> md5sum /bin/ls
> d319011a3eb49338fe333753b0cfd7bc /bin/ls
>
> You need to track that down asap to figure out what that is.
>
> It has been awhile but I ran through the exercise to examine what
> processes were hidden. I want to say it was the ones in []'s when you
> do a ps -eaf but I don't know if I remember that correctly.
>
> I am sure someone here will set me straight on this. :)
With chkrootkit comes a tool called "chkproc". Run it with option -v
and examine the listed processes via their hidden directories below
/proc, e.g.
# cd /usr/lib/chkrootkit-0.43
# ./chkproc -v
4348 is a Linux Thread, marking as such...
# cd /proc/4348
More information about the users
mailing list