Date: Sat, 12 Jun 2004 13:47:00 +0200 From: lupe@lupe-christoph.de (Lupe Christoph) To: Peter Rosa <prosa@pro.sk> Cc: FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: Hacked or not ? Message-ID: <20040612114700.GA1082@lupe-christoph.de> In-Reply-To: <016301c4506e$947644e0$3501a8c0@pro.sk> References: <016301c4506e$947644e0$3501a8c0@pro.sk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Saturday, 2004-06-12 at 13:15:33 +0200, Peter Rosa wrote:
> please advice me - I was on holidays for one week. After return I found in
> security mails from router (chkrootkit) following message:
> Checking `lkm'... You have 1 process hidden for readdir command
> You have 1 process hidden for ps command
> Warning: Possible LKM Trojan installed
> It apeared only onece. From previous and next days reports, the message is
> not present.
This is an artifact. chkrootkit uses two methods to look at the running
processes - ps and /proc. When a process terminates between the two
runs, you will get this. I see it at irregular intervals on all my
machines that run chkrootkit.
But if your machine is critical, running chkrootkit once daily is not
enough. This gives a cracker too much time to nest in. Run it at least
every hour.
Are you running an integrity checker like AIDE, Tripwire, etc?
> How could I be sure, the machine is not hacked ?
You can't. Not in general. chkrootkit goes only so far. Always assume
the worst. But don't panick.
HTH,
Lupe Christoph
PS: Flames that this is not a security help mailing list to /dev/null,
please. If you want to flame me, put the energy into creating a
freebsd-security-help mailing list instead.
--
| lupe@lupe-christoph.de | http://www.lupe-christoph.de/ |
| "... putting a mail server on the Internet without filtering is like |
| covering yourself with barbecue sauce and breaking into the Charity |
| Home for Badgers with Rabies. Michael Lucas |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040612114700.GA1082>