From owner-freebsd-questions@FreeBSD.ORG Tue May 13 03:47:26 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C41E937B401 for ; Tue, 13 May 2003 03:47:26 -0700 (PDT) Received: from smtp0.adl1.internode.on.net (smtp0.adl1.internode.on.net [203.16.214.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 886DE43F3F for ; Tue, 13 May 2003 03:47:25 -0700 (PDT) (envelope-from greg.lane@internode.on.net) Received: from router.lane.family (ppp61.act.padsl.internode.on.net [150.101.200.60])h4DAlNsu077883 for ; Tue, 13 May 2003 20:17:24 +0930 (CST) Received: from router.lane.family (localhost.lane.family [127.0.0.1]) by router.lane.family (8.12.8/8.12.8) with ESMTP id h4DAlMQa025203 for ; Tue, 13 May 2003 20:47:22 +1000 (EST) (envelope-from glane@router.lane.family) Received: (from glane@localhost) by router.lane.family (8.12.8/8.12.8/Submit) id h4DAlM5O025202 for freebsd-questions@freebsd.org; Tue, 13 May 2003 20:47:22 +1000 (EST) Date: Tue, 13 May 2003 20:47:21 +1000 From: Greg Lane To: freebsd-questions@freebsd.org Message-ID: <20030513104721.GA24990@localhost.bigpond.net.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: chkrootkit: LKM trojan(?) and strange cron behaviour X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: greg.lane@internode.on.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2003 10:47:27 -0000 Hi all, I run stable (built from march 9 sources) on a cheapo machine that routes my DSL connection (natd) and acts as a file server for my home network. The only ports open on the outside interface are 22 and port 80 (the latter is actually forwarded to apache running in a jail). I run a fairly restrictive firewall as well. I just noticed today that mail had stopped coming and after some investigations I realised that cron wasn't doing anything (so fetchmail wasn't running). I traced the time to May 12 between 5 and 6am. I was logged in to home from work at the time (doing a night shift looking after an experiment) but I don't remember doing anything abnormal that night that might have caused this. A cron process was present so I just killed and restarted it and so far things look normal again. Nevertheless, I went further investigating and found an interesting message from chkrootkit at 3 am May 10 (2 days before): Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed That was the only abnormal message that night and everything was normal before this (for at least a month) and for the next two nights till cron died (I run chkrootkit from cron just before 3am each night). I just ran chkrootkit again and it reports nothing. I am building static executables on another stable machine at the moment so that I can run chkrootkit with known executables. My feeling is that cron was wedged in some fashion and this has nothing to do with the strange chkrootkit result. But it concerns me a little. My questions are: Has anyone ever had cron stuck in this fashion? Has anyone ever seen this message from chkrootkit before and determined it was a false alarm? (Note that I am running stable and this is not the known problems with chkrootkit and current.) Would you be concerned?!?!? Cheers, Greg