Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[suse-security] chkroot claims top infected
From: dh (mesamoocomcast.net)
Date: Sun Feb 01 2004 - 17:17:56 CST
I brought up this issue on the SuSE English List (SLE) and it was
suggested that I should pass my information along to this list.
What follows is a cut and past of the thread from SLE...
I just ran chkroot (chkrootkit-0.43, Sat Dec 27 2003) and it gave the
Checking `top'... INFECTED
Checking `lkm'... You have 5 process hidden for ps command
I found these commands were in an rpm updated w/ synaptic recently,
ps_2003.11.17-18_i586.rpm. The file can be found at
top's size is 81.5kb and has a modified date of 2004-01-20
top: procps version 3.1.14
As further investigation I installed the previous rpm
(ps-2003.9.20-6.i586.rpm) from SuSE and then ran checkroot again, this
time no errors were reported. Then reinstalled the rpm from the apt
repository and the errors appear again.
I know this doesn't mean that I haven't been rooted but it really points
a finger at the ps_2003.11.17-18_i586.rpm from
(the apt archive)
If so anyone using apt for their upgrades should be concerned about
Continuing my investigation I booted up my test machine w/ SuSE 9.0
ran checkrootkit and it showed all clean. Then I used synaptic and
updated ps (ps_2003.11.17-18_i586.rpm) and nothing else
then I ran chkroot again and the errors are there.
Anders Johansson wrote (from 3 separate messages):
chkrootkit is reacting to the string /prof in top. That string isn't in
the src.rpm, but it is in the binary. That alone is very suspicious. It
does look like kraxel's binaries are infected. I wonder what other
niceties are in the binaries in the apt repo
The suspicious ps package is identical on suse.com and on gwdg.de, so it
seems that if something has been compromised it's on suse.com.
The problem is in the "top" in the ps package from /pub/people/kraxel
The top binary in that contains the string "/prof", which chkrootkit
as a sign of an infected binary
That string isn't in the src.rpm from kraxel's directory, and if you
rebuild the rpm from that src.rpm you also won't see that string.
And finally a long quote from Ivan Sergio Borgonovo :
I've done all these things
Installed ps through apt
Installed ps from DVD
Compiled and installed ps from ftp.suse.com
Installed chkrootkit from source
Installed chkrootkit from apt
and the result ranged from no infected packages, no modules loaded to,
top or/and ps infected and hidden modules etc...
I doubt that just substituting 2 binaries I can "unload" trojan
I gave a look at the sources of chkrootkit and discovered which binary
was checking for "hidden" modules.
I discovered it has an option -v and got this output
stige:~ # chkproc -v
PID 3: not in ps output
PID 4: not in ps output
PID 5: not in ps output
PID 6: not in ps output
You have 4 process hidden for ps command
then I did...
// edited to fit in email
stige:~ # ps aux
USER PID VSZ RSS TTY STAT START TIME COMMAND
root 1 620 256 ? S 22:00 0:04 init 
root 2 0 0 ? SW 22:00 0:00 [keventd]
root 0 0 0 ? SWN 22:00 0:00 [ksoftirqd_CPU0]
root 0 0 0 ? SW 22:00 0:00 [kswapd]
root 0 0 0 ? SW 22:00 0:00 [bdflush]
root 0 0 0 ? SW 22:00 0:00 [kupdated]
root 8 0 0 ? SW 22:00 0:00 [khubd]
root 9 0 0 ? SW< 22:00 0:00 [mdrecoveryd]
/proc/3 is actually ksoftirqd_CPU0
/proc/4 is kswapd
... bdflush, kupdated
out of panic mode: reasonable???
So there you have it. I would love to post back to the SLE and apt4SuSE
lists that this is a non-issue but if there really is a problem then I
am sure that the great minds on this list will be able to help.
Thanks for your time and I do apologize if I've broken any etiquette, I
just don't have time to read the whole FAQ, or search the archives
right now .
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here