chkrootkit mi mette paura....

[maxithron]

Ragazzi, sono un pò nel panico ho lanciato chkrootkit sul kernel 2.6.4 ed ho ottenuto questo:

Codice:

chkrootkit
Checking `lkm'... You have     6 process hidden for readdir command
You have     6 process hidden for ps command
Warning: Possible LKM Trojan installed

Dato che alcuni dicono che sul 2.6.x non funzioni chkrootkit, mi confermate anche voi sta cosa oppure devo prendere provvedimenti?

[gurutech]

ma, il ho il 2.6.1 e non mi dice nulla di sospetto.
che versione stai utilizzando?

[Mason]

quando mi sono entrati anche io avevo dei processi nascosti oltre ad avere lun interfaccia in promiscuous mode.

secondo me e meglio indagare

[maxithron]

ho fatto la prova anche con rootkit hunter che invece non riscontra nulla.

Io invece ho notato che i 'processii' che non vede come processi da ps, erano solo:

xmms
xchat
mozilla-bin

infatti, se chiudo x e lancio chkrootkit da console, non mi trova nulla di sospetto.

Per Mason:

Proprio perchè per caso ho ritrovato un tuo post di diverso tempo fa mi son deciso ad indagare un pò per diverse ragioni.

C'è qualche altro metodo invece che non lasci alcun dubbio?

La condizione ora è che:

rootkit hunter non trova nulla
chkrootkit non trova nulla solo se non lanciato da X, o meglio, mi riconosce come sospetti solo alcuni processi relativi al mio 'user'

[PiloZ]

Max non so se può esserti d'aiuto anche perchè sono abbastanza gnorante in materia

http://www.kuht.it/modules/newbb/vie...d=2075&forum=8

prova anche te con:
"chkrootkit -x lkm"
e vedi se il codice ha quell'inghippo:

ret = atol(p);
if ( ret < 0 || ret > MAX_PROCESSES )
{
fprintf (stderr, " OooPS, not expected %d value\n", ret);
exit (2);
}

[Mason]

bah io a mio tempo notai sopratutto che il promiscuous mode entrava "da solo"

entrava ,10 min usciva, poi passavano 3 min, rientrava ecc, senza che io facessi nulla,lo avevo capito da quello, dopo mi son ritrovato una porta in piu aperta e poi ho salvato quello che dovevo salvare e ho ranzato.

forse ho sbagliato a non indagare di piu a suo tempo per cercare di identificare effetivamente il problema, ma la voglia di riservatezza prevalse quasi subito

il fatto che ti dica che non riesca a vedere dei processi e cmq strano, a me non da problemi ma dalla pagina di chkroot

Quote:

How accurate is chkproc?

If you run chkproc on a server that runs lots of short time processes it could report some false positives. chkproc compares the ps output with the /proc contents. If processes are created/killed during this operation chkproc could point out these PIDs as suspicious.

penso che cmq non dovrebbe dartelo sempre, per quanto ne so

[maxithron]

fortunatamente a me non da quel tipo di errore ma mi dice solo che:

Codice:

 chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
PID 10842: not in readdir output
PID 10842: not in ps output
CWD 10842: /home/zabulon
EXE 10842: /usr/lib/mozilla/mozilla-bin
PID 10843: not in readdir output
PID 10843: not in ps output
CWD 10843: /home/zabulon
EXE 10843: /usr/lib/mozilla/mozilla-bin
You have     2 process hidden for readdir command
You have     2 process hidden for ps command

Ovviamente solo da X.

Invece da console, non trova nulla di sospetto ma mi chiedo:

Com'è che i processi che lui mi dice che non trova in ps io invece se dò ps -A li vedo?

per maggior sicurezza ho comunque provato anche rkhunter che dice di non trovare nulla. Posso sentirmi relativamente tranquillo oppure no?

[maxithron]

up

[lnessuno]

a me chkrootkit non trova niente...

Codice:

 
merlino:/home/lele# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not found
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/blender/.bfont.ttf /usr/lib/blender/.Blanguages
 
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... nothing found
Searching for Suckit rootkit ... nothing found
Searching for Volc rootkit ... nothing found
Searching for Gold2 rootkit ... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have     8 process hidden for readdir command
You have     8 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
ppp0: not promisc and no packet sniffer sockets
Checking `w55808'... not infected
Checking `wted'... 3 deletion(s) between Sat Aug 23 15:09:38 2003 and Fri May 28 02:37:57 2032
6 deletion(s) between Sun Oct 26 18:29:23 2003 and Thu Jan  1 08:53:38 1970
9 deletion(s) between Thu Jan  1 08:53:38 1970 and Sun Oct 26 18:31:09 2003
2 deletion(s) between Sat Nov  8 12:30:42 2003 and Sat Nov  8 13:14:36 2003
6 deletion(s) between Sun Dec 28 16:46:13 2003 and Sun Mar 17 13:50:32 1957
4 deletion(s) between Wed Mar 10 12:12:07 2004 and Wed Mar 10 13:39:59 2004
7 deletion(s) between Sun Mar 14 13:01:24 2004 and Thu Jun  7 02:58:19 1934
1 deletion(s) between Tue Apr 13 22:11:17 2004 and Tue Apr 13 22:16:32 2004
1 deletion(s) between Tue Jan  1 19:52:13 2002 and Tue Jan  1 19:55:37 2002
nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... nothing deleted

a parte sti x deletions... che vuol dire? :|

[maxithron]

azz..come non ti trova niente??

guarda il tuo log:

Codice:

Checking `lkm'... You have     8 process hidden for readdir command
You have     8 process hidden for ps command
Warning: Possible LKM Trojan installed

e i deletion potrebbe dire che si sono presi anche la briga di cancellare le tracce credo.

quotandolo tutto (il tuo log):

Quote:

merlino:/home/lele# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not found
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/blender/.bfont.ttf /usr/lib/blender/.Blanguages

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... nothing found
Searching for Suckit rootkit ... nothing found
Searching for Volc rootkit ... nothing found
Searching for Gold2 rootkit ... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have 8 process hidden for readdir command
You have 8 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
ppp0: not promisc and no packet sniffer sockets
Checking `w55808'... not infected
Checking `wted'... 3 deletion(s) between Sat Aug 23 15:09:38 2003 and Fri May 28 02:37:57 2032
6 deletion(s) between Sun Oct 26 18:29:23 2003 and Thu Jan 1 08:53:38 1970
9 deletion(s) between Thu Jan 1 08:53:38 1970 and Sun Oct 26 18:31:09 2003
2 deletion(s) between Sat Nov 8 12:30:42 2003 and Sat Nov 8 13:14:36 2003
6 deletion(s) between Sun Dec 28 16:46:13 2003 and Sun Mar 17 13:50:32 1957
4 deletion(s) between Wed Mar 10 12:12:07 2004 and Wed Mar 10 13:39:59 2004
7 deletion(s) between Sun Mar 14 13:01:24 2004 and Thu Jun 7 02:58:19 1934
1 deletion(s) between Tue Apr 13 22:11:17 2004 and Tue Apr 13 22:16:32 2004
1 deletion(s) between Tue Jan 1 19:52:13 2002 and Tue Jan 1 19:55:37 2002
nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... nothing deleted

[lnessuno]

mmm vero... vabbè ma io ho 2 sessioni di X aperte, più svariati programmi... a te era solo quello e allora ho sorvolato (anzi, non l'ho visto proprio )

[maxithron]

sono ancora afflitto da questo dubbio atroce

Qualche guru nei paraggi??

[Cosmo]

Quote:

Originariamente inviato da maxithron
sono ancora afflitto da questo dubbio atroce

Qualche guru nei paraggi??

lancia chkrootkit così

./chkrootkit -x lkm

a me dà falsi positivi per Mozilla e Openoffice.
saluti


P.S. Va bene, d'accordo, la prossima volta il 3d lo leggo tutto prima di fornire consigli già dati

[NA01]

bho!
a me dà

Codice:

Searching for suspicious files and dirs, it may take a while...

seguito da milioni di file
e poi

Codice:

Checking `sniffer'... eth0: PF_PACKET(/sbin/dhcpcd)

questo sembra brutto e cattivo o no?
se lancio con le opzioni di cosmo ottengo

Codice:

bash-2.05b# ./chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###

ciao

[Cosmo]

Quote:

Originariamente inviato da NA01

questo sembra brutto e cattivo o no?

No. È il tuo client dhcp.

Quote:

se lancio con le opzioni di cosmo ottengo

Codice:

bash-2.05b# ./chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###

ciao

Significa che hai nemmeno dei falsi positivi.
saluti

[NA01]

quindi tutto tranquillo

a chi interessasse ho trovato una sorta di guida creata dopo che hanno seccato i server di debby qualche mese fa.
cmq non la ho ancora letta

ciao

[Cosmo]

Quote:

Originariamente inviato da NA01
quindi tutto tranquillo

Direi di si.

Quote:

a chi interessasse ho trovato una sorta di guida creata dopo che hanno seccato i server di debby qualche mese fa.
cmq non la ho ancora letta

ciao

Quell'evento, imho, mi pare che sia stato caratterizzato principalmente da un aspetto specifico dell'hacking: il social engineering.
saluti


Questo è il mio cinquecentesimo messaggio

[maxithron]

ragazzi. forse non so se sono stato 'spiegato'...

Allora, se non lancio X, chkrootkit non mi segnala nulla

Se lancio X, chkrootkit non segnala nulla

Se lancio qualsiasi applicazione da X, chkrootkit me la segnala come 'sospetta'

ad es.:

mozilla-bin, anjuta, vim, nzomma, basta che da X lancio una apps e lui me la segnala come 'hidden' per readdir o per ps.

Invece, io le apps le vedo regolarmente nei processi.

Ora, se do chkrootkit -x lkm, mi segnala solo:

chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
PID 1794: not in readdir output
PID 1794: not in ps output
CWD 1794: /home/zabulon
EXE 1794: /usr/lib/mozilla/mozilla-bin
PID 1797: not in readdir output
PID 1797: not in ps output
CWD 1797: /home/zabulon
EXE 1797: /usr/lib/mozilla/mozilla-bin
You have 2 process hidden for readdir command
You have 2 process hidden for ps command


e basta, non segnala null'altro.

Se do:

cat /proc/1762/cmdline (1762 è il PID associato al momento a mozilla)

ottengo semplicemente


/usr/lib/mozilla/mozilla-bin


in questo caso ovviamente perchè ho aperto solo mozilla come apps

ma, ripeto, se lancio da X qualsiasi altra apps me la segnala come sospetta.

[PiloZ]

maxi...secondo me qualcosa sfarfalla..mi pare strano anche a me:

root@/home/piloz>chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
PID 1322: not in readdir output
PID 1322: not in ps output
CWD 1322: /var/lib/mysql
EXE 1322: /usr/sbin/mysqld
PID 1323: not in readdir output
PID 1323: not in ps output
CWD 1323: /var/lib/mysql
EXE 1323: /usr/sbin/mysqld
PID 1440: not in readdir output
PID 1440: not in ps output
CWD 1440: /etc/init.d
EXE 1440: /usr/bin/python2.3
PID 1441: not in readdir output
PID 1441: not in ps output
CWD 1441: /etc/init.d
EXE 1441: /usr/bin/python2.3
PID 1467: not in readdir output
PID 1467: not in ps output
CWD 1467: /etc/init.d
EXE 1467: /usr/bin/xchat
PID 1563: not in readdir output
PID 1563: not in ps output
CWD 1563: /etc/init.d
EXE 1563: /usr/lib/mozilla-firefox/firefox-bin
PID 1564: not in readdir output
PID 1564: not in ps output
CWD 1564: /etc/init.d
EXE 1564: /usr/lib/mozilla-firefox/firefox-bin
You have 7 process hidden for readdir command
You have 7 process hidden for ps command


---------------------

root@/home/piloz>chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/base-config/menu/.svn /usr/lib/j2re1.4.2_03/.systemPrefs /usr/lib/j2re1.4.2_03/.systemPrefs/.system.lock /usr/lib/j2re1.4.2_03/.systemPrefs/.systemRootModFile
/usr/lib/base-config/menu/.svn /usr/lib/j2re1.4.2_03/.systemPrefs
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... nothing found
Searching for Suckit rootkit ... nothing found
Searching for Volc rootkit ... nothing found
Searching for Gold2 rootkit ... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have 7 process hidden for readdir command
You have 7 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no packet sniffer sockets
lo: not promisc and no packet sniffer sockets
Checking `w55808'... not infected
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... nothing deleted

[PiloZ]

apt-cache show mozilla-firefox

........
.........
Filename: pool/main/m/mozilla-firefox/mozilla-firefox_0.8-11_i386.deb
Size: 10342540
MD5sum: 732c364e7ee5401ca5422f00a8ad9c21
..........
.........

piloz@debian:/usr/bin$ md5sum /usr/bin/mozilla-firefox
c4192499905856f5cb7933e04961c82f /usr/bin/mozilla-firefox

pensavo andasse bene anche così ma le cifre sono differenti come mai

forse perchè uno è il deb completo e uno è un bin?
va preso perforza dal sito ufficiale?