From owner-freebsd-security@FreeBSD.ORG Sat Jun 12 11:47:12 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A0EF16A4CE for ; Sat, 12 Jun 2004 11:47:12 +0000 (GMT) Received: from buexe.b-5.de (buexe.b-5.de [80.148.32.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id D31F643D53 for ; Sat, 12 Jun 2004 11:47:10 +0000 (GMT) (envelope-from lupe@lupe-christoph.de) Received: from antalya.lupe-christoph.de ([172.17.0.9])i5CBl6S18587; Sat, 12 Jun 2004 13:47:06 +0200 Received: from localhost (localhost [127.0.0.1]) by antalya.lupe-christoph.de (Postfix) with ESMTP id C853EB887; Sat, 12 Jun 2004 13:47:00 +0200 (CEST) Received: from antalya.lupe-christoph.de ([127.0.0.1]) by localhost (antalya [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 25181-02; Sat, 12 Jun 2004 13:47:00 +0200 (CEST) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 9FEA1B886; Sat, 12 Jun 2004 13:47:00 +0200 (CEST) Date: Sat, 12 Jun 2004 13:47:00 +0200 To: Peter Rosa Message-ID: <20040612114700.GA1082@lupe-christoph.de> References: <016301c4506e$947644e0$3501a8c0@pro.sk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <016301c4506e$947644e0$3501a8c0@pro.sk> User-Agent: Mutt/1.5.5.1+cvs20040105i From: lupe@lupe-christoph.de (Lupe Christoph) X-Virus-Scanned: by amavisd-new-20030616-p7 (Debian) at lupe-christoph.de cc: FreeBSD Security Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 11:47:12 -0000 On Saturday, 2004-06-12 at 13:15:33 +0200, Peter Rosa wrote: > please advice me - I was on holidays for one week. After return I found in > security mails from router (chkrootkit) following message: > Checking `lkm'... You have 1 process hidden for readdir command > You have 1 process hidden for ps command > Warning: Possible LKM Trojan installed > It apeared only onece. From previous and next days reports, the message is > not present. This is an artifact. chkrootkit uses two methods to look at the running processes - ps and /proc. When a process terminates between the two runs, you will get this. I see it at irregular intervals on all my machines that run chkrootkit. But if your machine is critical, running chkrootkit once daily is not enough. This gives a cracker too much time to nest in. Run it at least every hour. Are you running an integrity checker like AIDE, Tripwire, etc? > How could I be sure, the machine is not hacked ? You can't. Not in general. chkrootkit goes only so far. Always assume the worst. But don't panick. HTH, Lupe Christoph PS: Flames that this is not a security help mailing list to /dev/null, please. If you want to flame me, put the energy into creating a freebsd-security-help mailing list instead. -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity | | Home for Badgers with Rabies. Michael Lucas |