SDB:The chkrootkit Program Reports "Infected" Programs
Version: 9.1 -
Symptom
On a newly installed SUSE LINUX 9.1 system, the chkrootkit program erroneously reports "infected" programs, including ps and top.
Cause
Since kernel series 2.6.x, processes with multiple threads have been displayed only with a PID (process ID). This was a change compared to kernel series 2.4.x, where each thread had its own PID. chkrootkit executes an ls on /proc, compares it to the output of ps and top, and then does not take into account the kernel's changed behavior and reports an "intruder".
Background information
On the one hand, due to the way chkrootkit works, it does not display actual system conditions for reasons detailed above.
On the other hand, ps also executes a getdents (get directory entries) command on /proc, which is almost the same as ls or the shell with the "echo *" command.
Additional information is available on the manual page under getdents.
Such a test cannot indicate a kernel backdoor, since such a backdoor would cause the entry in /proc to disappear, which means that ps would also return no visible information.
Note:
Alternatively, you can use rkhunter - this command does not exhibit these problems.
Links:
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
http://www.rootkit.nl/projects/rootkit_hunter.html <keyword>chkrootkit,ps,top,proc,kernel,processes,infected,trojan</keyword>