Re: TID/PID handling and possible rootkit

[Daniel Jacobowitz <dan@debian.org>]

David's analysis is pretty much right on.

On Fri, Feb 28, 2003 at 09:24:37PM +0100, Felipe Alfaro Solana wrote:
> Hello! 
>  
> This is a message forwarded from Red Hat's Phoebe (8.1) Linux 
> Beta. It seems that some of us, when running "chkrootkit" rootkit 
> checker, are getting consistent errors complaining that we have 
> hidden processes from the "ps" command and "procfs". 
>  
> Can you please help us disguise what's happening? 
> If so, keep reading :-) 
>  
> ----- Original Message -----   
> From: David McKellar <djmcke@yahoo.com>   
> Date: Fri, 28 Feb 2003 09:33:15 -0800 (PST)    
> To: phoebe-list@redhat.com   
> Subject: Re: chkrootkit on phoebe   
>    
> > It says I have LKM also:   
> >    
> >   Checking `lkm'... You have    12 process hidden for readdir command   
> >   You have    12 process hidden for ps command   
> >   Warning: Possible LKM Trojan installed   
> >    
> > My system is on the net all the time so it could very well be infected.   
>    
> I have done some research and this is what I've found:   
>    
> Recompiling (get paranoid) chkrootkit creates a separate binary called 
> "chkproc" that allows you to search for  hidden processes. Running 
> "chkproc -v" on my system reveals this: 
>    
> ID  1364: not in readdir output   
> PID  1364: not in ps output   
> PID  1365: not in readdir output   
> PID  1365: not in ps output   
> PID  1366: not in readdir output   
> PID  1366: not in ps output   
> You have     3 process hidden for readdir command   
> You have     3 process hidden for ps command   
>    
> My computer is behind a firewall that filters all ports < 1023 and I'm a 
> very paranoic person, so I really doubt I have got infected by a trojan.  
>    
> In my case, I've found the culprit to be "Evolution": while running 
> Evolution, there are 3 or more processes not  being displayed by the 
> "ps" command, or even listed under "/proc., but they are accessible by 
> "cd"-ing to them.  If I quit "Evolution", running "./chkproc -v" again does 
> not generate those warnings. 
>  
> I think this is related to changes in PID/TID handling by recent kernels. 
> If my memory serves me well, each thread of a process is given a 
> unique ID (the Thread ID) which is assigned from the same pool as the 
> PID, so, there was a time when you could see threads from the output 
> of the "ps" command. I think this behaviour has changed, and now, you 
> can't directly see threads by using "ps" or reading from "/proc". However, 
> the TID number is still reserved from the same pool as PIDs, although 
> it won't be listed in "/proc". For whatever reason it be, it seems that "procfs" 
> still allows one to "cd" to the directory entry of a thread by using the 
> Thread ID (TID), so this could be the culprit of the problem. Since 
> "chkproc" tries "cd"-ing the hard way into all possible combinations of 
> directories from within "/proc", "chkproc" is in fact "seeing" was should be 
> hidden: the entries for threads. 
>    
> This problem is reproducible on 2.4.20-2.54 and 2.5.63-mm1.   
>  
> Can any kernel guru help us here? Am we right? Are we infected? 
>  
> Thanks! 
>  
>    Felipe Alfaro Solana 
>  
> -- 
> ______________________________________________
> http://www.linuxmail.org/
> Now with e-mail forwarding for only US$5.95/yr
> 
> Powered by Outblaze
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 

-- 
Daniel Jacobowitz
MontaVista Software                         Debian GNU/Linux Developer