Re: [OT] Rootkit queston - Albert Cahalan

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Albert Cahalan <albert@users.sf.net>
To: linux-kernel mailing list <linux-kernel@vger.kernel.org>
Cc: midian@ihme.org
Subject: Re: [OT] Rootkit queston
Date: 02 Dec 2003 16:24:43 -0500	[thread overview]
Message-ID: <1070400282.780.11.camel@cube> (raw)

> I've been paranoid after I heard that the debian project
> got "rootkitted", I ran chkrootkit, and it said that
> it's possible that I have a LKM rootkit installed, but
> the website told me that it's possible that the LKM test
> gives wrong information with recent kernels (Running 2.4.22
> now).
>
> These processes "were hidden from ps command":
> root         0  0.0  0.0     0    0 ?        SWN  Oct28   0:01 [ksoftirqd CPU0]
> root         0  0.0  0.0     0    0 ?        SW   Oct28   4:27 [kswapd]
> root         0  0.0  0.0     0    0 ?        SW   Oct28   0:00 [bdflush]
> root         0  0.0  0.0     0    0 ?        SW   Oct28   0:01 [kupdated]
>
> They seem to have PID 0, is this normal?

Yes and no. This is a kernel bug that trips up libproc.

The first number in a /proc/*/stat file should match
the Tgid number in the /proc/*/status file it goes with.
This is the POSIX PID. (note: NOT the "Pid" value)

Early 2.4.xx kernels didn't try to report this in
the /proc/*/status files at all, so libproc would
use the /proc/*/stat data instead. Recent 2.4.xx
kernels report the data. It seems that the data is
left uninitialized for the built-in kernel tasks.

Though there will be a work-around in future libproc
code, the 2.4.xx kernel ought to get fixed anyway.

> Do my system have a rootkit installed?

I don't think so.

> If it does, how do I remove it?

Boot from CD-ROM and reinstall the OS.

next             reply	other threads:[~2003-12-02 23:42 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-12-02 21:24 Albert Cahalan [this message]
  -- strict thread matches above, loose matches on Subject: below --
2003-12-06 13:45 [OT] Rootkit queston Samium Gromoff
2003-12-06 15:01 ` Måns Rullgård
2003-12-06 15:10   ` Doug McNaught
2003-12-06 15:07 ` Christian
2003-12-08 13:49 ` Richard B. Johnson
2003-12-01 21:11 Markus Hästbacka
2003-12-01 22:19 ` Richard B. Johnson
2003-12-01 23:36   ` Måns Rullgård
2003-12-01 23:47     ` Mike Fedyk
2003-12-01 22:48 ` Bernd Eckenfels
2003-12-05 17:29 ` dean gaudet

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1070400282.780.11.camel@cube \
    --to=albert@users.sf.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=midian@ihme.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.