[SLE] Re: [suse-security] chkroot claims top infected (fwd)

• Previous message: hansdp_at_newingtoncs.co.za: "Re: [SLE] k3b issues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Mon, 2 Feb 2004 14:53:58 +0100 (CET)
To: SuSE Linux Mailing List <suse-linux-e@suse.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

JFYI, for those of you who are not on suse-security...
Seems like it was (fortunately) a false alarm. But still, I too would
appreciate if the packages in the "people" directory were signed at least
with the developer's key.

Bye,
        LenZ
- --
- ------------------------------------------------------------------
 Lenz Grimmer <lenz@grimmer.com> -o)
 [ICQ: 160767607 | Jabber: LenZGr@jabber.org] /\\
 http://www.lenzg.org/ V_V

- ---------- Forwarded message ----------
Date: Mon, 2 Feb 2004 12:42:36 +0100 (CET)
From: Sebastian Krahmer <krahmer@suse.de>
To: dh <mesamoo@comcast.net>
Cc: suse-security@suse.com
Subject: Re: [suse-security] chkroot claims top infected

On Sun, 1 Feb 2004, dh wrote:

Hi,

I think this is a false positive from chkrootkit. I downloaded the ps
package
from ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386 and indeed
there is "/prof" string in ps and top. But this is ok. The string
is inside .text and is executable code. This is:

...
0x8055205: call 0x8049700 strtoul()

0x805520a: mov 0xc(%ebp),%edx
0x805520d: mov %eax,0x1b8(%edx)
0x8055213: mov %eax,(%edx)

0x8055215: movl $0x6f72702f,(%esi) ; /prof
0x805521b: movw $0x2f63,0x4(%esi)

0x8055221: mov 0x226fc(%ebx),%eax
0x8055227: add $0xb,%eax
0x805522a: mov %eax,0x4(%esp,1)
0x805522e: lea 0x6(%esi),%eax
0x8055231: mov %eax,(%esp,1)

0x8055234: call 0x8049780 strcpy()
...

The code in C is:

        pid = strtoul(ent->d_name, NULL, 10);
        memcpy(path, "/proc/", 6);
        strcpy(path+6, ent->d_name);

and comes from the original ps source. The compiler optimized the memcpy()
into a movl+movw since /pro is 32 bit and the left 2 byte are copied
via movw. This just yields "/prof" string in .text.

regards,
Sebastian

> I brought up this issue on the SuSE English List (SLE) and it was
> suggested that I should pass my information along to this list.
>
> What follows is a cut and past of the thread from SLE...
>
> I just ran chkroot (chkrootkit-0.43, Sat Dec 27 2003) and it gave the
> results
> Checking `top'... INFECTED
> and
> Checking `lkm'... You have 5 process hidden for ps command
>
> I found these commands were in an rpm updated w/ synaptic recently,
> ps_2003.11.17-18_i586.rpm. The file can be found at
> ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386/RPMS.suse-people
>
> top's size is 81.5kb and has a modified date of 2004-01-20
> #top -h
> top: procps version 3.1.14
>
> As further investigation I installed the previous rpm
> (ps-2003.9.20-6.i586.rpm) from SuSE and then ran checkroot again, this
> time no errors were reported. Then reinstalled the rpm from the apt
> repository and the errors appear again.
>
> I know this doesn't mean that I haven't been rooted but it really points
> a finger at the ps_2003.11.17-18_i586.rpm from
> ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386/RPMS.suse-people
> (the apt archive)
> If so anyone using apt for their upgrades should be concerned about
> this.
>
> Continuing my investigation I booted up my test machine w/ SuSE 9.0
> ran checkrootkit and it showed all clean. Then I used synaptic and
> updated ps (ps_2003.11.17-18_i586.rpm) and nothing else
> then I ran chkroot again and the errors are there.
>
> Anders Johansson wrote (from 3 separate messages):
>
> chkrootkit is reacting to the string /prof in top. That string isn't in
> the src.rpm, but it is in the binary. That alone is very suspicious. It
> does look like kraxel's binaries are infected. I wonder what other
> niceties are in the binaries in the apt repo
>
> The suspicious ps package is identical on suse.com and on gwdg.de, so it
> seems that if something has been compromised it's on suse.com.
> The problem is in the "top" in the ps package from /pub/people/kraxel
> The top binary in that contains the string "/prof", which chkrootkit
> detects
> as a sign of an infected binary
>
> That string isn't in the src.rpm from kraxel's directory, and if you
> rebuild the rpm from that src.rpm you also won't see that string.
>
> And finally a long quote from Ivan Sergio Borgonovo :
>
> I've done all these things
> Installed ps through apt
> Installed ps from DVD
> Compiled and installed ps from ftp.suse.com
> Installed chkrootkit from source
> Installed chkrootkit from apt
>
> and the result ranged from no infected packages, no modules loaded to,
> top or/and ps infected and hidden modules etc...
>
> I doubt that just substituting 2 binaries I can "unload" trojan
> modules.
>
> I gave a look at the sources of chkrootkit and discovered which binary
> was checking for "hidden" modules.
> I discovered it has an option -v and got this output
>
> stige:~ # chkproc -v
> PID 3: not in ps output
> PID 4: not in ps output
> PID 5: not in ps output
> PID 6: not in ps output
> You have 4 process hidden for ps command
>
> then I did...
>
> // edited to fit in email
> stige:~ # ps aux
> USER PID VSZ RSS TTY STAT START TIME COMMAND
> root 1 620 256 ? S 22:00 0:04 init [3]
> root 2 0 0 ? SW 22:00 0:00 [keventd]
> root 0 0 0 ? SWN 22:00 0:00 [ksoftirqd_CPU0]
> root 0 0 0 ? SW 22:00 0:00 [kswapd]
> root 0 0 0 ? SW 22:00 0:00 [bdflush]
> root 0 0 0 ? SW 22:00 0:00 [kupdated]
> root 8 0 0 ? SW 22:00 0:00 [khubd]
> root 9 0 0 ? SW< 22:00 0:00 [mdrecoveryd]
>
> Curiously enough
> /proc/3 is actually ksoftirqd_CPU0
> /proc/4 is kswapd
> ... bdflush, kupdated
>
> out of panic mode: reasonable???
>
> So there you have it. I would love to post back to the SLE and apt4SuSE
> lists that this is a non-issue but if there really is a problem then I
> am sure that the great minds on this list will be able to help.
>
> Thanks for your time and I do apologize if I've broken any etiquette, I
> just don't have time to read the whole FAQ, or search the archives
> right now .
>
>
>
> --
> dh
>
>

- --
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@suse.de - SuSE Security Team
~

- --
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFAHlZ5SVDhKrJykfIRAoGoAJ9kLWJ/8pHN4S4k2iZPxQFeI3QXIwCeLBW2
S+AysSlIRdwbrpyG1V+ymoQ=
=88yp
-----END PGP SIGNATURE-----

-- 
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com

• Previous message: hansdp_at_newingtoncs.co.za: "Re: [SLE] k3b issues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]