Looks like it is really a false-positive. chkproc is
not 100% accurate for high-usage servers.
Now a request for you :)
You said you use tripwire, do you use any log analysis
tool? I'm developing a tool called "OSSEC HIDS" (not
available yet), which came from the OsAudit
(www.ossec.net/osaudit/) plus
a integrity checker and context base analysis.
Are you interested to help sending log samples?
I'm trying to gather data from a very ample set of
systems to be able to create very accurate rules and
have a lot of data to test.
If you can send some parts of your /var/log/messages,
/var/log/secure or any other log file that you have,
it would be great :) If you can send the whole file,
it would be much better (if they are bigger, I can
provide a sftp server to send it)...
*any log sent will only be used for testings. After
that they will be deleted. You can also modify them
(changing ip addresses, etc)
Daniel,
Thanks for your answer.
I'll think about that (not enough time at the moment).
All,
thanks for the offlist answers and the hints that this was not the appropriate
list (sorry for that, I see it now).
joe
[nothing new below]
thanks,
--
Daniel B. Cid, CISSP
daniel.cid @ ( at ) gmail.com
--- John Doe <security.department@tele2.ch> wrote:
Hi all
(I think it's not a chkrootkit specific question...
sorry if I see this wrong)
This morning I realized following warnings of
chkrootkit 0.44 in mails sent by
cron:
at 2005-4-14, 2005-4-15 and 2005-4-17:
You have 5 process hidden for readdir command
You have 5 process hidden for ps command
Warning: Possible LKM Trojan installed
and at 2005-4-16:
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed
Months before as well as until today, no such
warnings.
==
I think - but am not sure, thus my question to this
list - these are false
positives, and I like to know your opinion about
that.
==
I have following reasons to think of false
positives:
[+] http://www.chkrootkit.org/faq/, 6.:
"If you run chkproc on a server that runs lots of
short time processes it
could report some false positives. chkproc compares
the ps output with
the /proc contents. If processes are created/killed
during this operation
chkproc could point out these PIDs as suspicious."
[++] I run a _static_ kernel (gentoo
2.4.28-hardened-r5)
[++] I install patches on a daily basis (with some
exceptions when absent)
after tests on a local test box, so the system
should be actual
[+] no shell/ssh/... access by others
[+] It's a server with a small amount of
software/services
(a)
127.0.0.1:3306 (mysql)
127.0.0.1:110
127.0.0.1:9999 (backend apache)
[ip1]:80 (frontend apache) [3]
127.0.0.1:8082 (backend apache)
127.0.0.1:8083 (backend apache)
[ip1]:53 ("hidden" bind9) [1]
127.0.0.1:53
127.0.0.1:8888 (backend apache)
127.0.0.1:953
[ip1]:25 (postfix, public)
127.0.0.1:25
[ip2]:443
[ip1]:[highport] (ssh2) [2]
[1] accessible only from slave DNSs (by
config/firewall)
[2] no ip restrictions, only pubkeyauth
[3] serving "only" a mod_perl app (via backend) and
static pages; no php, cgi
etc.
[++] cron restarts, just before running chkrootkit,
a apache mod_perl
application which takes, when havily used, several
seconds to restart. At the
time of the chrootkit warnings, it was actually
heavily used during the day.
Additionally, there are 5 apache backend processes
started (coincidence with
the 5 hidden processes mentioned by chkrootkit)
==
On the other side,
[-] tripwire runs, but... *shameonme*
[-] all services on a single server, including
firewall, due to budget
==
Any comments on the probability of beeing hacked
(and others, of course) are
very appreciated, thanks in advance!
joe
