f



SuSE 9.1 / chkrootkit finds 'top' and 'find'

Hi, 

recently I did a fresh install of SuSE 9.1 Prof.

Today I ran a chkrootkit using the Knoppix 3.4 CD 
(provided by magazine c't 4/2004).

chkrootkit thinks that these files are infected:
  - top
  - find
No other issues are found.

top is contained in procps-3.2.1-4, find in findutils-4.1.7-860.

On the running SuSE 9.1 system I did 
  rpm -V procps-3.2.1-4
  rpm -V findutils-4.1.7-860
and did not find any problems.

Now I am confused. Please advice what I can / should do.

Thanks for your help.

Manfred

 
0
Manfred
6/20/2004 12:19:28 PM
comp.os.linux.security 2854 articles. 0 followers. Post Follow

8 Replies
348 Views

Similar Articles

[PageSpeed] 41

Manfred Schneider wrote:
> 
> Today I ran a chkrootkit using the Knoppix 3.4 CD 
> (provided by magazine c't 4/2004).
> 
> chkrootkit thinks that these files are infected:
>   - top
>   - find
> No other issues are found.
> 
> top is contained in procps-3.2.1-4, find in findutils-4.1.7-860.
> 
> On the running SuSE 9.1 system I did 
>   rpm -V procps-3.2.1-4
>   rpm -V findutils-4.1.7-860
> and did not find any problems.
> 
> Now I am confused. Please advice what I can / should do.


It's been a while since I used a system with RPM's so no flames.
I may have this wrong but I think this will verify the procps 
package.

rpm -V procps |grep '^..5'>/tmp/verify

And look through /tmp/verify for files that have been changed.


-- 
Confucius:  He who play in root, eventually kill tree.
Registered with The Linux Counter.  http://counter.li.org/
Slackware 9.1.0 Kernel 2.4.26 SMP i686 (GCC) 3.3.4
Uptime:5 days, 19:55, 3 users, load average: 1.00, 1.01, 1.02
0
David
6/20/2004 12:35:49 PM
Hi,

>rpm -V procps |grep '^..5'>/tmp/verify

thanks for the hints. Actually this is what I have done already and
found no issues. I just did an additional rpm -V against the original
packages at ftp.suse.com and found also no issues.

Regards, 

Manfred

0
Manfred
6/20/2004 12:47:14 PM
Manfred Schneider wrote:

> Hi,
> 
> recently I did a fresh install of SuSE 9.1 Prof.
> 
> Today I ran a chkrootkit using the Knoppix 3.4 CD
> (provided by magazine c't 4/2004).
> 
> chkrootkit thinks that these files are infected:
>   - top
>   - find
> No other issues are found.
> 

Boot from a rescue CDROM or Floppy disk set and make copies of top and find.
If you would send these to me, then I would be happy to check whether the
are trojaned or whether chkrootkit is giving you a false positive.

Do not attempt to send or copy these files while booted off a read-write
operating system where you can't be sure of its integrity.

Thanks

Giles
0
Giles
6/20/2004 1:49:34 PM
Manfred Schneider wrote:
> 
> thanks for the hints. Actually this is what I have done already and
> found no issues. I just did an additional rpm -V against the original
> packages at ftp.suse.com and found also no issues.

Ok you might try this to see if there is a difference between the 
file in the package and the file on your hard drive.

mkdir /some/junk/dir
cp procps-x.x.x.rpm /some/junk/dir
rpm2cpio procps-x.x.rpm | cpio -i '*'
md5sum /path/to/junk/dir/top
md5sum /path/system/top

If their different then you may have problems. Be sure to use a 
clean RPM package as well as the same version to do this. It 
would probably be a good idea to boot with KNOPPIX or some other 
live CD to do this.

-- 
Confucius:  He who play in root, eventually kill tree.
Registered with The Linux Counter.  http://counter.li.org/
Slackware 9.1.0 Kernel 2.4.26 SMP i686 (GCC) 3.3.4
Uptime:5 days, 21:15, 2 users, load average: 1.07, 1.02, 1.00
0
David
6/20/2004 2:06:34 PM
Hi,

thanks for the hints. I will try them out.

In the meantime I was curious if a fresh install shows the same
results. 

I did a complete fresh install from the original SuSE 9.1 DVD to a
newly formatted partition and installed a minimal system. 

I did not configure the network and did not a YOU upgrade. I did just
installed a new copy of 9.1 without booting any other system. So the
new system is "as delivered".

Then I booted again the Knoppix CD and run the chkrootkit. And I was
very surprised: chkrootkit found the same two issues as my running
9.1 system on the newly installed 9.1 system.

What is going on here? How can chkrootkit thinks that 'top' and 'find'
are possible infected? Or is this a SuSE issue?

Thanks for your help.

Manfred

0
Manfred
6/20/2004 3:07:49 PM
On 2004-06-20, Giles Coochey <giles@coochey.net> wrote:
> Boot from a rescue CDROM or Floppy disk set and make copies of top and
> find.  If you would send these to me, then I would be happy to check
> whether the are trojaned or whether chkrootkit is giving you a false
> positive.

I happen to have a freshly-installed SuSE 9.1 under VMWare.  I booted from a
Knoppix ISO image, and checked the SuSE installation, and sure enough,
chkrootkit claims that top and find are infected.

-- 
--Tim Smith
0
Tim
6/22/2004 7:06:28 AM
On 2004-06-22, Tim Smith <reply_in_group@mouse-potato.com> wrote:
> On 2004-06-20, Giles Coochey <giles@coochey.net> wrote:
> I happen to have a freshly-installed SuSE 9.1 under VMWare.  I booted from a
> Knoppix ISO image, and checked the SuSE installation, and sure enough,
> chkrootkit claims that top and find are infected.

I rebuilt find from source, and that too shows up as infected.


-- 
--Tim Smith
0
Tim
6/22/2004 7:20:18 AM
Manfred Schneider <manfred@manfred-schneider.de> wrote:
> Today I ran a chkrootkit using the Knoppix 3.4 CD 
> (provided by magazine c't 4/2004).
> 
> chkrootkit thinks that these files are infected:
>  - top
>  - find
> No other issues are found.

there also migth e a report of an LKM. 

googling around emntions more systems who have this. it's a bit annoying
but nothing to worry about.

0
Roeland
6/22/2004 8:53:03 PM
Reply: