chkrootkit detects hidden processes in mozilla-firefox and xmms
Rick Luddy
badness, or simple user error. I'm a bit worried it might mean my system
has been compromised. Any help or explanation would be greatly appreciated.
When I run chkrootkit (0.43-1), I get nothing unusual other than the
lines:
Checking `lkm'... You have 4 process hidden for readdir command
You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
When I investigate further by running chkproc -v -v I get:
PID 4118: not in readdir output
PID 4118: not in ps output
CWD 4118: /home/rick
EXE 4118: /usr/lib/mozilla-firefox/firefox-bin
PID 4120: not in readdir output
PID 4120: not in ps output
CWD 4120: /home/rick
EXE 4120: /usr/lib/mozilla-firefox/firefox-bin
PID 4128: not in readdir output
PID 4128: not in ps output
CWD 4128: /home/rick
EXE 4128: /usr/bin/xmms
PID 4129: not in readdir output
PID 4129: not in ps output
CWD 4129: /home/rick
EXE 4129: /usr/bin/xmms
You have 4 process hidden for readdir command
You have 4 process hidden for ps command
I'm using xmms 1.2.10-1, mozilla-firefox 0.8-3, and chkrootkit 0.43-1 ,
all gotten from ftp.us.debian.org through apt-get. If I exit firefox and
xmms, chkrootkit doesn't have a problem any longer, so I don't think it's
another program pretending to have a false name.
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Shaul Karl
You might be interested in http://bugs.debian.org/222179. I wonder if
there is a process with a pid of {4125,4126,4127} that have tasks with a
pid of 4128 and 4129.
--
"If you have an apple and I have an apple and we exchange apples then
you and I will still each have one apple. But if you have an idea and I
have an idea and we exchange these ideas, then each of us will have two
ideas." -- George Bernard Shaw (sent by shaulk @ actcom . net . il)
Rick Luddy
> symptom of possible badness, or simple user error. I'm a bit
> worried it might mean my system has been compromised. Any help
> or explanation would be greatly appreciated.
You might be interested in http://bugs.debian.org/222179. I
wonder if there is a process with a pid of {4125,4126,4127} that
have tasks with a pid of 4128 and 4129.
Thanks, that turns out to be the case. Checking now I see all of the
"hidden" processes under /proc/N/task of the related process.
I had known about the [now-fixed, I think] bug in chkrootkit where it
thought ksoftirqd and a few other kernel things were suspicious, but
I didn't know about it getting confused by user things.
My blood pressure is down a lot now, thanks again!
Paul Johnson
Hash: SHA1
On Tue, Mar 02, 2004 at 01:37:32PM -0500, Rick Luddy wrote:
> I'm not entirely sure whether this is normal behavior, a symptom of possible
> badness, or simple user error.
This message is user error. Read the archives and search the web
first. Had you read the archives, you would have found that your
question has been asked again and again. Had you searched the web,
you would have found the bug listing on bugs.debian.org about it.
- --
.''`. Paul Johnson <ba...@ursine.ca>
: :' :
`. `'` proud Debian admin and user
`- Debian. Because it *must* work.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFARY/IUzgNqloQMwcRAmhxAKDIaJ+7HcgVK4uF27ZYnAnYHRKhFACgiG0R
pK9dQwtOxz4pBd6OtXBjGK0=
=YNHb
-----END PGP SIGNATURE-----