Argh, infected!

Sam Barnett-Cormack s.barnett-cormack at lancaster.ac.uk
Mon Oct 13 05:22:50 PDT 2003


On Mon, 13 Oct 2003, Dan Osterrath wrote:

> Am Montag, 13. Oktober 2003 13:53 schrieb Sam Barnett-Cormack:
> > On Mon, 13 Oct 2003, Sam Barnett-Cormack wrote:
> > > [root at mnementh chkrootkit-0.42b]# ./chkrootkit | grep INFECTED
> > > Checking `netstat'... INFECTED
> > >
> > > Okay, so I think I understand that... now what the heck do I do about
> > > it? Anyone know?
> >
> > Further: false alarm. chkrootkit was checking for addr.h, and this was
> > in the binary *only* until it was stripped. I stripped it, and now all
> > is fine.
>
> 1. Why does chkrootkit think that there is a root kit in netstat when it was
> compiled with addr.h? - Seems that it normaly does not do so and that there
> exists a root kit that does.
> 2. When you strip a binary you remove some extra information such as this
> binary was compiled with addr.h. If you strip it the extra information gets
> lost but it is still compiled with it and the root kit is still inside.
> Unfortunately chkrootkit can not see it anymore.
>
> So don't be too optimistic that you are safe.
>
> Probably you yould give us your lfs version and we could verify our results
> with yours...

LFS 4.1, plus some extras. This explanation has been corroborated with
other people who got caught.

Try starting with a known good machine, compile without setting -O2 or
anything, the latest net-tools. Then check it out.

If chkrootkit relied on binaries being unstripped it would be kinda
useless.

-- 

Sam Barnett-Cormack
Software Developer                           |  Student of Physics & Maths
UK Mirror Service (http://www.mirror.ac.uk)  |  Lancaster University



More information about the lfs-security mailing list