|
osdir.com mailing list archive |
|
Subject: Re: [Security-Discuss] Hidden Processes - msg#00001List: linux.mandrake.security.general<AAW-yvxbkcIk1KXQT0dZR+AlfA@xxxxxxxxxxxxxxxx> wrote: > /usr/lib64/chkrootkit/chkproc -v claims: > You have You have 69 process hidden for ps command > Should I be panicking? Almost guaranteed to be a false alarm. I have 76. As the processes are in /proc, you can see what they are ... #!/bin/bash for ProcessNum in `/usr/lib/chkrootkit/chkproc -v | grep "ps output" | awk '{print $2}'`; do if [ -f "/proc/${ProcessNum:0:4}/cmdline" ]; then cat "/proc/${ProcessNum:0:4}/cmdline" echo . fi done # End of script On my system, the above script shows that the processes belong to nscd, console-kit-daemon, pulseaudio, wish (running amsn), opera. If you remove the if statement, there is one which belongs to chkrootkit ifself, which is gone by time the script gets to the point of trying to show the cmdline. Taking one of the process numbers, 8474, it indeed does not show up in "ps -ax", yet it does show up in htop, as a thread for opera. A google search on 'chkrootkit "false positive"' will turn up lots of hits. Regards, Dave Hodgins ____________________________________________________ Want to buy your Pack or Services from Mandriva? Go to http://store.mandriva.com Join the Club : http://www.mandrivaclub.com ____________________________________________________ Thread at a glance:
Previous Message by Date: click to view message preview[Security-Discuss] Hidden Processeschkrootkit is reporting: Checking `lkm'... You have chkproc: Warning: Possible LKM Trojan installed /usr/lib64/chkrootkit/chkproc -v claims: You have You have 69 process hidden for ps command I've booted to my fallback install (2008.1, never connected to internet) and checked the installation (chkrootkit, rkhunter, checked md5sum of ps and other important binaries against "rpm -qp --dump"). Everything looks OK. I see a similar question by Dick Gevers on 2008-02-20 but no responses. I've also seen some google research that some distro's modify ps to hide processes; redhat was the only one specifically mentioned. Should I be panicking? Thanks, Arn ____________________________________________________ Want to buy your Pack or Services from Mandriva? Go to http://store.mandriva.com Join the Club : http://www.mandrivaclub.com ____________________________________________________ Next Message by Date: click to view message previewRe: [Security-Discuss] Hidden ProcessesOn Tuesday, June 3, 2008 3:14 pm David W. Hodgins wrote: > Almost guaranteed to be a false alarm. I have 76. > As the processes are in /proc, you can see what they are ... That's what I thought -- or I'd have reformatted and reinstalled _before_ asking the question. ;-) Appreciate the information. Thanks, Arn ____________________________________________________ Want to buy your Pack or Services from Mandriva? Go to http://store.mandriva.com Join the Club : http://www.mandrivaclub.com ____________________________________________________ Previous Message by Thread: click to view message preview[Security-Discuss] Hidden Processeschkrootkit is reporting: Checking `lkm'... You have chkproc: Warning: Possible LKM Trojan installed /usr/lib64/chkrootkit/chkproc -v claims: You have You have 69 process hidden for ps command I've booted to my fallback install (2008.1, never connected to internet) and checked the installation (chkrootkit, rkhunter, checked md5sum of ps and other important binaries against "rpm -qp --dump"). Everything looks OK. I see a similar question by Dick Gevers on 2008-02-20 but no responses. I've also seen some google research that some distro's modify ps to hide processes; redhat was the only one specifically mentioned. Should I be panicking? Thanks, Arn ____________________________________________________ Want to buy your Pack or Services from Mandriva? Go to http://store.mandriva.com Join the Club : http://www.mandrivaclub.com ____________________________________________________ Next Message by Thread: click to view message previewRe: [Security-Discuss] Hidden ProcessesOn Tuesday, June 3, 2008 3:14 pm David W. Hodgins wrote: > Almost guaranteed to be a false alarm. I have 76. > As the processes are in /proc, you can see what they are ... That's what I thought -- or I'd have reformatted and reinstalled _before_ asking the question. ;-) Appreciate the information. Thanks, Arn ____________________________________________________ Want to buy your Pack or Services from Mandriva? Go to http://store.mandriva.com Join the Club : http://www.mandrivaclub.com ____________________________________________________ Loading Comments...
|
|
