Hi all

I realise there has been some discussion recently over the merits or
otherwise of chkrootkit, but the last two days it is warning of hidden
processes (ps and readdir).


After googling a little further I see this has been a problem in the
past but was unable to find any recent examples.


However, using

#chkrootkit -x lkm

and

#chkproc -v -v

and comparing these to the output of ps and ls /proc I have determined
that there are processes which do not show up on /proc or ps but I am
still able to


#cd /proc/PID

for these processes and then

#cat cmdline

to find out what service is hidden.

The results suggest that icedove-bin and nepomukerserver are the main
culprits, but I want to know why!!


I do not have any services running on external ports as I am behind a
netgear router and have confirmed this via various external port scan
sites. I do run smb, imap (dovecot), postfix, cups and apt-cacher
(perl) locally for my internal network.


Am I really rooted? Anyone else seeing something similar?

TIA

Wackojacko


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



Sat Aug 16 14:30:01 2008
Return-path: <fedora-list-bounces@redhat.com>
Envelope-to: tom@linux-archive.org
Delivery-date: Sat, 16 Aug 2008 14:29:02 +0300
Received: from hormel1.redhat.com ([209.132.177.33] helo=hormel.redhat.com)
by s2.java-tips.org with esmtp (Exim 4.69)
(envelope-from <fedora-list-bounces@redhat.com>)
id 1KUJxt-0003nP-Ur
for tom@linux-archive.org; Sat, 16 Aug 2008 14:29:02 +0300
Received: from listman.util.phx.redhat.com (listman.util.phx.redhat.com [10.8.4.110])
by hormel.redhat.com (Postfix) with ESMTP id 7EBE0618A19;
Sat, 16 Aug 2008 07:28:55 -0400 (EDT)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
[172.16.52.254])
by listman.util.phx.redhat.com (8.13.1/8.13.1) with ESMTP id
m7GBSpSg023224 for <fedora-list@listman.util.phx.redhat.com>;
Sat, 16 Aug 2008 07:28:52 -0400
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m7GBSpDC014448
for <fedora-list@redhat.com>; Sat, 16 Aug 2008 07:28:51 -0400
Received: from mars.math-info.univ-paris5.fr (mars.math-info.univ-paris5.fr
[193.48.200.18])
by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m7GBSa0G024884
for <fedora-list@redhat.com>; Sat, 16 Aug 2008 07:28:37 -0400
Received: from bhaskara.math-info.univ-paris5.fr
(mars.math-info.univ-paris5.fr [127.0.0.1])
by mars.math-info.univ-paris5.fr (8.14.1/jtpda-5.4) with ESMTP id
m7GBSWMW028151
for <fedora-list@redhat.com>; Sat, 16 Aug 2008 13:28:33 +0200
Message-ID: <48A6B9DE.7010807@math-info.univ-paris5.fr>
Date: Sat, 16 Aug 2008 13:28:30 +0200
From: =?ISO-8859-1?Q?Fran=E7ois_Patte?=
<francois.patte@math-info.univ-paris5.fr>
User-Agent: Thunderbird 2.0.0.12 (X11/20080226)
MIME-Version: 1.0
To: For users of Fedora <fedora-list@redhat.com>
References: <48A407C6.5060608@math-info.univ-paris5.fr>
<200808141214.54536.gene.heskett@verizon.net>
In-Reply-To: <200808141214.54536.gene.heskett@verizon.net>
X-Enigmail-Version: 0.95.5
Content-Type: text/plain; charset=ISO-8859-1
X-Miltered: at mars.math-info.univ-paris5.fr with ID 48A6B9E0.000 by Joe's
j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Score: MSGID : 48A6B9E0.000 on mars.math-info.univ-paris5.fr :
j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
X-RedHat-Spam-Score: -0.037
X-Scanned-By: MIMEDefang 2.58 on 172.16.52.254

X-Scanned-By: MIMEDefang 2.63 on 172.16.48.32
X-loop: fedora-list@redhat.com
Subject: Re: printer advice
X-BeenThere: fedora-list@redhat.com
X-Mailman-Version: 2.1.5
Precedence: junk
Reply-To: For users of Fedora <fedora-list@redhat.com>
List-Id: For users of Fedora <fedora-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/fedora-list>,
<mailto:fedora-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/fedora-list>
List-Post: <mailto:fedora-list@redhat.com>
List-Help: <mailto:fedora-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/fedora-list>,
<mailto:fedora-list-request@redhat.com?subject=subscribe>
Sender: fedora-list-bounces@redhat.com
Errors-To: fedora-list-bounces@redhat.com
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gene Heskett a =E9crit :

On Thursday 14 August 2008, Fran=E7ois Patte wrote:

Bonjour,

I need a printer and I found two laser printers available where I am
living now:

Brother HL-2032
Samsung ML-1630/SEE


I cannot testify about the samsung, but Brother has what I would call=20
excellent linux support, but you will need to get the correct set of pp=

d=20

files from their web page. If this printer isn't there, there is an em=

ail=20

link to their support on the web page,


Thanks for your answer but I found some problem with brother web page: I
did not find this HL-2032 printer and if I want to contact them, they
require the reference of the printer ... which is not in the menu list...=
.

So, I can't send an email to enquire about a brother printer that I can
buy but which is not listed on the web site of the manufacturer...

I must miss something, or I did not find the right web page.

- --
Fran=E7ois Patte
UFR de math=E9matiques et informatique
Universit=E9 Paris Descartes
45, rue des Saints P=E8res
F-75270 Paris Cedex 06
T=E9l. +33 (0)1 44 55 35 61
http://www.math-info.univ-paris5.fr/~patte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIprnedE6C2dhV2JURAu0wAJ9sZcA8WujnT5YlJzLr3z 6MY3fmYgCfRU0j
7nfxG/iDj1Wc5g+sn2ME4UU=3D
=3DbhxU
-----END PGP SIGNATURE-----

--=20
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

On 08/16/08 06:17, Wackojacko wrote:

Hi all

I realise there has been some discussion recently over the merits or
otherwise of chkrootkit, but the last two days it is warning of hidden
processes (ps and readdir).


After googling a little further I see this has been a problem in the
past but was unable to find any recent examples.


However, using

#chkrootkit -x lkm

and

#chkproc -v -v

and comparing these to the output of ps and ls /proc I have determined
that there are processes which do not show up on /proc or ps but I am
still able to


#cd /proc/PID

for these processes and then

#cat cmdline

to find out what service is hidden.

The results suggest that icedove-bin and nepomukerserver are the main
culprits, but I want to know why!!


I do not have any services running on external ports as I am behind a
netgear router and have confirmed this via various external port scan
sites. I do run smb, imap (dovecot), postfix, cups and apt-cacher
(perl) locally for my internal network.


Am I really rooted? Anyone else seeing something similar?


Is this your personal workstation?

How is it connected to the Intarweb? Directly, or behind a NATing
firewalling router?


If directly, how many services do you have listening to ports? Get
a friend to nmap you.


If this is your PC, and are behind a hardware firewall, I seriously
doubt that you are compromised.


--
Ron Johnson, Jr.
Jefferson LA USA

"Do not bite at the bait of pleasure till you know there is no
hook beneath it." -- Thomas Jefferson


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Ron Johnson wrote:

On 08/16/08 06:17, Wackojacko wrote:

Hi all

I realise there has been some discussion recently over the merits or
otherwise of chkrootkit, but the last two days it is warning of hidden
processes (ps and readdir).


After googling a little further I see this has been a problem in the
past but was unable to find any recent examples.


However, using

#chkrootkit -x lkm

and

#chkproc -v -v

and comparing these to the output of ps and ls /proc I have determined
that there are processes which do not show up on /proc or ps but I am
still able to


#cd /proc/PID

for these processes and then

#cat cmdline

to find out what service is hidden.

The results suggest that icedove-bin and nepomukerserver are the main
culprits, but I want to know why!!


I do not have any services running on external ports as I am behind a
netgear router and have confirmed this via various external port scan
sites. I do run smb, imap (dovecot), postfix, cups and apt-cacher
(perl) locally for my internal network.


Am I really rooted? Anyone else seeing something similar?


Is this your personal workstation?

How is it connected to the Intarweb? Directly, or behind a NATing
firewalling router?


If directly, how many services do you have listening to ports? Get a
friend to nmap you.


If this is your PC, and are behind a hardware firewall, I seriously
doubt that you are compromised.



Hi Ron

Yeah this is my thinking. It is my personal workstation and I only have
the services I listed above listening on the local network. I am
behind a Netgear Router and external port scans show zilch!


Forgot to mention I am running Sid AMD64 with homerolled 2.6.25 Kernel.
Rkhunter shows nothing but they means nothing if the system is
compromised.


I suppose the next question is why are these services hiding from me?

Thanks again

Wackojacko


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Wackojacko on 16/08/08 13:02, wrote:

Ron Johnson wrote:

On 08/16/08 06:17, Wackojacko wrote:

Hi all

I realise there has been some discussion recently over the merits or
otherwise of chkrootkit, but the last two days it is warning of
hidden processes (ps and readdir).


After googling a little further I see this has been a problem in the
past but was unable to find any recent examples.


However, using

#chkrootkit -x lkm

and

#chkproc -v -v

and comparing these to the output of ps and ls /proc I have
determined that there are processes which do not show up on /proc or
ps but I am still able to


#cd /proc/PID

for these processes and then

#cat cmdline

to find out what service is hidden.

The results suggest that icedove-bin and nepomukerserver are the main
culprits, but I want to know why!!


I do not have any services running on external ports as I am behind a
netgear router and have confirmed this via various external port scan
sites. I do run smb, imap (dovecot), postfix, cups and apt-cacher
(perl) locally for my internal network.


Am I really rooted? Anyone else seeing something similar?


Is this your personal workstation?

How is it connected to the Intarweb? Directly, or behind a NATing
firewalling router?


If directly, how many services do you have listening to ports? Get a
friend to nmap you.


If this is your PC, and are behind a hardware firewall, I seriously
doubt that you are compromised.



Hi Ron

Yeah this is my thinking. It is my personal workstation and I only have
the services I listed above listening on the local network. I am
behind a Netgear Router and external port scans show zilch!


Forgot to mention I am running Sid AMD64 with homerolled 2.6.25 Kernel.
Rkhunter shows nothing but they means nothing if the system is
compromised.


I suppose the next question is why are these services hiding from me?


Another big question for me in this sort of situation is, what program can I use
to determine whether I really am rooted or not?


Seems to me that any program running on the suspect server can just be
overridden by the rootkit or hacker, so programs and scripts launched from
crontab would be relatively untrustworthy.


After chkrootkit emailed me a result saying 'PORT INFECTED: 2881' I see
significantly more hidden hidden processes, and but nothing ever turns out to be
definitively rooted - so I'm trying to establish a definitive security structure
before I reformat and reinstall.


(Plus I am monitoring the ports with ntop to see if they're anything suspicious
going on).


Regards
Adam


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Wackojacko on 16/08/08 13:02, wrote:

Ron Johnson wrote:

On 08/16/08 06:17, Wackojacko wrote:

Hi all

I realise there has been some discussion recently over the merits or
otherwise of chkrootkit, but the last two days it is warning of
hidden processes (ps and readdir).


After googling a little further I see this has been a problem in the
past but was unable to find any recent examples.


However, using

#chkrootkit -x lkm

and

#chkproc -v -v

and comparing these to the output of ps and ls /proc I have
determined that there are processes which do not show up on /proc or
ps but I am still able to


#cd /proc/PID

for these processes and then

#cat cmdline

to find out what service is hidden.

The results suggest that icedove-bin and nepomukerserver are the main
culprits, but I want to know why!!


I do not have any services running on external ports as I am behind a
netgear router and have confirmed this via various external port scan
sites. I do run smb, imap (dovecot), postfix, cups and apt-cacher
(perl) locally for my internal network.


Am I really rooted? Anyone else seeing something similar?


Wacko,
you haven't got a script that does that have you? (Identifying the process that
is hidden from /proc/PID?) Seems a bit laborious doing it manually more than once.



Adam


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Adam Hardy wrote:

However, using

#chkrootkit -x lkm

and

#/usr/lib/chkrootkit/chkproc -v -v


Wacko,
you haven't got a script that does that have you? (Identifying the
process that is hidden from /proc/PID?) Seems a bit laborious doing it
manually more than once.



Adam


As per my original mail above, these two commands will show you the
hidden processes.


First one asks chkrootkit why it thinks there is an LKM Trojan on the
system.


Second one is the helper script run by chkrootkit that lists the hidden
processes but can be run directly.


I am still seeing output from these commands, but the daily chkrootkit
email warning of LKM Trojan has now disappeared!!


HTH

Wackojacko


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Wackojacko on 21/08/08 20:32, wrote:

Adam Hardy wrote:

However, using

#chkrootkit -x lkm

and

#/usr/lib/chkrootkit/chkproc -v -v


Wacko,
you haven't got a script that does that have you? (Identifying the
process that is hidden from /proc/PID?) Seems a bit laborious doing it
manually more than once.


As per my original mail above, these two commands will show you the
hidden processes.


First one asks chkrootkit why it thinks there is an LKM Trojan on the
system.


Second one is the helper script run by chkrootkit that lists the hidden
processes but can be run directly.


I am still seeing output from these commands, but the daily chkrootkit
email warning of LKM Trojan has now disappeared!!


Thanks for the low-down on chkrootkit.

That's the same behaviour from chkrootkit that I am seeing too. In my case the
hidden processes are all java, children of the process that is listed by ps.


It reminds me of an old bug with java and linux where ps would show multiple
processes for the java process. I doubt it's related to this issue but it makes
me suspect a bug.


Regards
Adam


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org