# RootKit paranoia

## Pajarico

Just did a 'rkhunter -c' and this came up:

 *Quote:*   

> System checks
> 
> * Allround tests
> 
>    Checking hostname... Found. Hostname is localhost
> ...

 

I am not that sure what that means. Help appreciated.

 :Wink: 

----------

## moocha

It means /etc/passwd has been altered since the last time you ran rkhunter.

That may mean you've added some user accounts, an ebuild has added some accounts for use with some installed software, or indeed your system may have been compromised. If that is the only warning though, the most likely culprit is an ebuild.

You should really read the rkhunter documentation if you intend to use it, otherwise it's completely pointless - you'll either miss some real threats or you'll overreact to false positives.

----------

## Pajarico

I read the man and is not very extensive. Usually i just watch if the output is red (bad) or green (good) :Very Happy: 

The rest of the test shows no warnings.

My /etc/passwd look like this. I don't see anything suspicious:

```
root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/bin/false

daemon:x:2:2:daemon:/sbin:/bin/false

adm:x:3:4:adm:/var/adm:/bin/false

lp:x:4:7:lp:/var/spool/lpd:/bin/false

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/bin/false

news:x:9:13:news:/usr/lib/news:/bin/false

uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false

operator:x:11:0:operator:/root:/bin/bash

man:x:13:15:man:/usr/man:/bin/false

postmaster:x:14:12:postmaster:/var/spool/mail:/bin/false

cron:x:16:16:cron:/var/spool/cron:/bin/false

ftp:x:21:21::/home/ftp:/bin/false

sshd:x:22:22:sshd:/dev/null:/bin/false

at:x:25:25:at:/var/spool/cron/atjobs:/bin/false

squid:x:31:31:Squid:/var/cache/squid:/bin/false

gdm:x:32:32:GDM:/var/lib/gdm:/bin/false

xfs:x:33:33:X Font Server:/etc/X11/fs:/bin/false

games:x:35:35:games:/usr/games:/bin/bash

named:x:40:40:bind:/var/bind:/bin/false

mysql:x:60:60:mysql:/var/lib/mysql:/bin/false

postgres:x:70:70::/var/lib/postgresql:/bin/bash

apache:x:81:81:apache:/home/httpd:/bin/false

nut:x:84:84:nut:/var/state/nut:/bin/false

cyrus:x:85:12::/usr/cyrus:/bin/false

vpopmail:x:89:89::/var/vpopmail:/bin/false

alias:x:200:200::/var/qmail/alias:/bin/false

qmaild:x:201:200::/var/qmail:/bin/false

qmaill:x:202:200::/var/qmail:/bin/false

qmailp:x:203:200::/var/qmail:/bin/false

qmailq:x:204:201::/var/qmail:/bin/false

qmailr:x:205:201::/var/qmail:/bin/false

qmails:x:206:201::/var/qmail:/bin/false

postfix:x:207:207:postfix:/var/spool/postfix:/bin/false

smmsp:x:209:209:smmsp:/var/spool/mqueue:/bin/false

portage:x:250:250:portage:/var/tmp/portage:/bin/false

guest:x:405:100:guest:/dev/null:/dev/null

nobody:x:65534:65534:nobody:/:/bin/false

lxuser:x:1000:100::/home/lxuser:/bin/bash

rpc:x:111:111:added by portage for portmap:/dev/null:/bin/false

p2p:x:101:100:added by portage for mldonkey:/home/p2p:/bin/bash

foldingathome:x:102:100:added by portage for foldingathome:/opt/foldingathome:/bin/bash

freenet:x:103:408:added by portage for freenet:/var/freenet:/bin/bash

stats:x:104:409:added by portage for basc:/tmp:/bin/false

distcc:x:240:100:added by portage for distcc:/dev/null:/bin/false

```

----------

## moocha

Compare it with a backup from a read-only medium. Like I said, my bet is that you recently installed foldingathome or such and the differences are due to portage adding user accounts required for that software.

----------

## Pajarico

Thanks, but unfortunately i don't keep any backup.

----------

## Sith_Happens

 *Pajarico wrote:*   

> Thanks, but unfortunately i don't keep any backup.

 Risky, and this situation would be one of the risks.  Why not try another program like chkrootkit, see if it tells you anything more.  Just be sure to run it from the livecd, just to be safe.

----------

## Pajarico

chkrootkit found nothing.

----------

## hds

while we are at chkrootkit, i get this:

```

Checking `lkm'... You have     4 process hidden for ps command

Warning: Possible LKM Trojan installed

```

should i worry  :Shocked: 

----------

## Pajarico

 *hds wrote:*   

> while we are at chkrootkit, i get this:
> 
> ```
> 
> Checking `lkm'... You have     4 process hidden for ps command
> ...

 

have you tried rkhunter?

----------

## Sith_Happens

 *hds wrote:*   

> while we are at chkrootkit, i get this:
> 
> ```
> 
> Checking `lkm'... You have     4 process hidden for ps command
> ...

 I've heard that this can sometimes be a false positive caused by an error in the chkproc command (part of chkrootkit).   If you run chkproc on a server that runs lots of short time processes it could report some false positives, reason being that chkproc compares the ps output with the /proc contents. If processes are created/killed during this operation chkproc could point out these PIDs as suspicious and indicitive of LKM (linux kernel module) trojans.  

Try comparing the output of ps -e to the contents of the /proc directory yourself.  If they match then your ok.  If not check out what the hidden processes are.  You can also run chkrootkit -x lkm and it will tell you what processes it is concerned about.  chkproc -v or chkproc -v -v can also give you some more info.  

My system said I had 7 processes hiding from ps, but I checked and they were all acounted for.  For some reason firefox and iplog were showing mulitple pid's.  Granted however my system did not test postive for a possible LKM tojan though.  

You might also want to reboot from some live-cd that has some forensics tools (rkhunter and chkrootkit) mount your hard-drive ro and noexec, and run some more tests.  With chkroot kit, you can "chroot" it so to speak by using the -r flag followed by wherever you mounted your root partition.  You can check specifically for lkm trojans using chkrootkit by adding lkm to the end of the command, i.e. chkrootkit lkm.  I think however the only test that chkrootkit does for the lkm trojan involves process checking, so mounting from a live-cd to check for lkm trojans using chkrootkit might be a waste of time.

----------

## Sith_Happens

Here is a program called kern_check.  It compares the syscalls of kernel modules to /boot/System.map.  It's C code, so put the file in some directory, and compile it with gcc -o kern_check kern_check.c.  Reboot in single user mode, or drop to runlevel 1, mount -o ro /boot (if it is on a seperate partition), and run /(path to kern_check)/kern_check /boot/System.map.  You can also run it with the -v flag if you like, but run it without it first..

----------

## Sith_Happens

Oops, I pressed quote instead of edit.  :Embarassed: 

----------

## hds

thx Sith

i also see LKM is not showed always. its only if i run my bashscript:

```

esync -n -s >/root/status.txt

glsa-check -t all >>/root/status.txt

chkrootkit >>/root/status.txt

sendEmail ...

```

if i run chkroot from bash manually, all is fine.

----------

## Fauli

 *hds wrote:*   

> while we are at chkrootkit, i get this:
> 
> ```
> 
> Checking `lkm'... You have     4 process hidden for ps command
> ...

 

When using NPTL, chkproc -v reports exactly those processes as hidden that use multiple threads. So I guess you don't have to worry.

----------

## Sith_Happens

Of course, I use NPTL.  :Surprised:  Thanks Fauli, I was being quite a noob.

----------

## hds

i am not using NPTL, i found this using the search function of this board already. i am using kernel 2.4.x

as i mentioned above.. LKM just if i run chkrootkit from a bashscript.

----------

## moocha

To clarify the PID issue with NPTL:

When you are not using NPTL (which means you are using the old LinuxThreads library), then a program that spawns multiple threads appears more than one time in the output of ps, under /proc, and wherever. This is because each thead gets its own PID. And if a process starts then stops many threads quickly, the PIDs go away and appear quickly, just like a process that spawns multiple subprocesses (see below).

Under NPTL this does not happen - threads don't get their own PID. You will see a single PID as long as the program is running.

Now, if a process starts one or more subprocesses quickly (typically that happens for shell scripts, which invoke utilities such as ps, grep, etc etc), it can happen that chkproc takes the process table snapshot from /proc (or from wherever it takes it) with those utilities running, but when it compares it to the output of ps those utilities have already finished running, thus they don't appear anymore - hence the differences. Without NPTL, this happens when a program initially had, say, 6 threads runnng, an it stopped a thread right after chkproc looked at the proces table - and since threads show up as proceses without NPTL, that can lead to false positives being reported.

----------

## Sith_Happens

 *Sith_Happens wrote:*   

> Here is a program called kern_check.  It compares the syscalls of kernel modules to /boot/System.map.  It's C code, so put the file in some directory, and compile it with gcc -o kern_check kern_check.c.  Reboot in single user mode, or drop to runlevel 1, mount -o ro /boot (if it is on a seperate partition), and run /(path to kern_check)/kern_check /boot/System.map.  You can also run it with the -v flag if you like, but run it without it first..

 This should give you a much better indication of LKM trojans, if you are still worried about the warning from chkrootkit.

----------

## _mikec_

is this normal?

```
Checking `rexedcs'... not found

Checking `sniffer'... eth0: PF_PACKET(/sbin/dhcpcd)

Checking `w55808'... not infected
```

see sniffer?

thanks.

----------

## Sith_Happens

I think so.  I have iplog, snort, and dhcpcd running on eth0, and chkrootkit outputs this:

```
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhcpcd, /usr/sbin/iplog, /usr/bin/snort)

```

----------

## hds

well, it would be of interesst if this is on a public webserver, accesible outside, or on a home environment.

or or or ??

/var/log/messages tells something? would also be of interesst.

----------

## Sith_Happens

 *hds wrote:*   

> well, it would be of interesst if this is on a public webserver, accesible outside, or on a home environment.
> 
> or or or ??
> 
> /var/log/messages tells something? would also be of interesst.

 Are you talking about myself?  I run this on a standalone system connected to a hostile college network (hence snort and iplog).  :Cool:   All chkrootkit is telling me with this line:

```
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhcpcd, /usr/sbin/iplog, /usr/bin/snort) 
```

is: "the following programs are packet sniffing on eth0".  In my case, all the programs are legitimate, and the binaries haven't been tampered with, so everything is hunky dory.

----------

## hds

 *Sith_Happens wrote:*   

> Are you talking about myself?
> 
> 

 

of course not. i was talking to "_mikec_". i agree, this wasnt obvious this time sorry! my fault.

----------

## Sith_Happens

 *hds wrote:*   

>  *Sith_Happens wrote:*   [Are you talking about myself?
> 
>  
> 
> of course not. i was talking to "_mikec_". i agree, this wasnt obvious this time sorry! my fault.

 No problem.  However, my explanation about what the sniffer line from chkrootkit's output saying applies to him as well.  If he uses dhcpcd, then I would expect it to be snffing packets on eth0.  :Wink: 

----------

## _mikec_

nothing about sniffer on /var/log/messages

and yes i am using dhcpd.

i am all safe then  :Smile: 

----------

## hds

dunno, i am on dhcp myself on my client, and i dont get such messages  :Wink: 

----------

## Sith_Happens

 *hds wrote:*   

> dunno, i am on dhcp myself on my client, and i dont get such messages 

 Interesting, I wonder why that is.  :Confused: 

----------

