[SGVLUG] False positive?: "LKM Trojan Installed"

Bryan White m0laria at gmail.com
Mon Oct 16 14:34:48 PDT 2006 

So you have another program that reports a trojan was installed based on the
result of the chkproc?  What program is that?

On 10/16/06, David Lawyer <dave at lafn.org> wrote:
>
> I thought that it's about time that I post something "on topic" rather
> than OT.  So here it is.  I think I've solved the problem by
> assuming that it's "no problem".
>
> When my cron jobs run, that were somehow set up to run by updating
> Debian packages using "apt-get", I get email reports from them.  One
> such report told me that a possible LKM Trojan was installed.  But it
> also said that per "chkproc" 1 process was hidden for the ps command.
> This means that there was a process running which didn't get listed by
> the "ps" command, possibly because the "ps" command has been
> contaminated with code so that it would not display a certain rogue
> LKM (Linux Kernel Module) process.  So I ran "chkproc" (it's not in
> any standard path so I had to use "locate" to find it) and it finds
> nothing wrong.
>
> So per what I saw on the Internet, chkproc can make a mistake since it
> takes a snapshot of both the output of "ps" and the list of processes
> in the /proc/ directory.  They are not really a list since each
> process number appears as the name of a subdirectory in the /proc/
> directory.  /proc/ is not a normal directory since the contents of all
> the files in it's tree are all in memory and not on disk.
>
> So since chkproc take a snapshot of the output of ps and the list of
> processes in /proc at slightly different times, there's supposedly a
> possibility of an error since a process may be born or die while the
> chkproc is gathering the info (including the time ps is gathering it
> info, etc.).  Such an error would be a false positive.  Here the
> "positive" result of the test is that it finds a trojan.  But if
> that`s false they say it's a "false positive".  So I think I'm just
> getting a false positive and have nothing to worry about.  Any
> comments?  Do other's get this false positive?
>
> I further checked the checksum of the ps binary and found it to be
> correct.  To do this I used the md5sum program on ps and compared it
> to a md5 list in a file in the Debian package directory tree.  These
> are the md5sums of the binaries (such as ps) which I downloaded from
> Debian over the Internet using apt-get.
>
>                         David Lawyer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.sgvlug.net/pipermail/sgvlug/attachments/20061016/f71b6c6a/attachment.html

More information about the SGVLUG mailing list