Date: Tue, 13 May 2003 20:47:21 +1000 From: Greg Lane <greg.lane@internode.on.net> To: freebsd-questions@freebsd.org Subject: chkrootkit: LKM trojan(?) and strange cron behaviour Message-ID: <20030513104721.GA24990@localhost.bigpond.net.au>
next in thread | raw e-mail | index | archive | help
Hi all, I run stable (built from march 9 sources) on a cheapo machine that routes my DSL connection (natd) and acts as a file server for my home network. The only ports open on the outside interface are 22 and port 80 (the latter is actually forwarded to apache running in a jail). I run a fairly restrictive firewall as well. I just noticed today that mail had stopped coming and after some investigations I realised that cron wasn't doing anything (so fetchmail wasn't running). I traced the time to May 12 between 5 and 6am. I was logged in to home from work at the time (doing a night shift looking after an experiment) but I don't remember doing anything abnormal that night that might have caused this. A cron process was present so I just killed and restarted it and so far things look normal again. Nevertheless, I went further investigating and found an interesting message from chkrootkit at 3 am May 10 (2 days before): Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed That was the only abnormal message that night and everything was normal before this (for at least a month) and for the next two nights till cron died (I run chkrootkit from cron just before 3am each night). I just ran chkrootkit again and it reports nothing. I am building static executables on another stable machine at the moment so that I can run chkrootkit with known executables. My feeling is that cron was wedged in some fashion and this has nothing to do with the strange chkrootkit result. But it concerns me a little. My questions are: Has anyone ever had cron stuck in this fashion? Has anyone ever seen this message from chkrootkit before and determined it was a false alarm? (Note that I am running stable and this is not the known problems with chkrootkit and current.) Would you be concerned?!?!? Cheers, Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030513104721.GA24990>