chkrootkit: LKM trojan(?) and strange cron behaviour
greg.lane at internode.on.net
Tue May 13 03:47:27 PDT 2003
I run stable (built from march 9 sources) on a cheapo machine that routes
my DSL connection (natd) and acts as a file server for my home network.
The only ports open on the outside interface are 22 and port 80 (the
latter is actually forwarded to apache running in a jail). I run a
fairly restrictive firewall as well.
I just noticed today that mail had stopped coming and after some
investigations I realised that cron wasn't doing anything (so fetchmail
wasn't running). I traced the time to May 12 between 5 and 6am.
I was logged in to home from work at the time (doing a night
shift looking after an experiment) but I don't remember doing anything
abnormal that night that might have caused this.
A cron process was present so I just killed and restarted it and so
far things look normal again. Nevertheless, I went further
investigating and found an interesting message from chkrootkit
at 3 am May 10 (2 days before):
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed
That was the only abnormal message that night and everything was
normal before this (for at least a month) and for the next two
nights till cron died (I run chkrootkit from cron just before
3am each night).
I just ran chkrootkit again and it reports nothing. I am building
static executables on another stable machine at the moment so that
I can run chkrootkit with known executables.
My feeling is that cron was wedged in some fashion and this has nothing
to do with the strange chkrootkit result. But it concerns me a little.
My questions are:
Has anyone ever had cron stuck in this fashion?
Has anyone ever seen this message from chkrootkit before and
determined it was a false alarm? (Note that I am running stable
and this is not the known problems with chkrootkit and current.)
Would you be concerned?!?!?
More information about the freebsd-questions