SDB:The chkrootkit Program Reports "Infected" Programs

Şuraya atla: kullan, ara


Version: 9.1 -

Symptom

On a newly installed SUSE LINUX 9.1 system, the chkrootkit program erroneously reports "infected" programs, including ps and top.

Cause

Since kernel series 2.6.x, processes with multiple threads have been displayed only with a PID (process ID). This was a change compared to kernel series 2.4.x, where each thread had its own PID. chkrootkit executes an ls on /proc, compares it to the output of ps and top, and then does not take into account the kernel's changed behavior and reports an "intruder".

Background information

On the one hand, due to the way chkrootkit works, it does not display actual system conditions for reasons detailed above.
On the other hand, ps also executes a getdents (get directory entries) command on /proc, which is almost the same as ls or the shell with the "echo *" command.
Additional information is available on the manual page under getdents.

Such a test cannot indicate a kernel backdoor, since such a backdoor would cause the entry in /proc to disappear, which means that ps would also return no visible information.

Note:

Alternatively, you can use rkhunter - this command does not exhibit these problems.

Links:

ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

http://www.rootkit.nl/projects/rootkit_hunter.html <keyword>chkrootkit,ps,top,proc,kernel,processes,infected,trojan</keyword>