[SGVLUG] False positive?: "LKM Trojan Installed"

[Emerson, Tom]

> -----Original Message----- Of David Lawyer
> 
> When my cron jobs run, ... I get email reports 
> ... that a possible LKM Trojan was installed.
[...]
> per what I saw on the Internet, chkproc can make a mistake 
> since it takes a snapshot of both the output of "ps" and the 
> list of processes in the /proc/ directory.
[...]
> So since chkproc take a snapshot of the output of ps and the 
> list of processes in /proc at slightly different times, 
> there's supposedly a possibility of an error since a process 
> may be born or die while the chkproc is gathering the info 
> (including the time ps is gathering it info, etc.).

Yes, this is often referred to as a "race" condition -- some data may
change state between system calls, and there is very little you can do
about it.

One possible way to avoid this would be to capture the /proc directory
tree, capture the ps output, and AGAIN capture the /proc tree.  What you
need to pay particular attention to are processes that appear in BOTH
instances of the /proc output, but not the ps output.  If something
appears in the first /proc listing, but not in either the ps nor the
SECOND /proc listing, you can reasonably presume that the particular
process "died" between the call(s) used to capture the first /proc
listing and the running of ps.  Anything that appears in the second
/proc listing that isn't in the first nor the ps output may be a brand
new process.

Back to the original comment, "...a possible LKM was installed..." -- do
you regularly get this "report", or is it intermittent?  If this happens
every time the process runs, then that points more towards a real threat
(then again, it could be a side effect of taking the measurement in the
first place, i.e., the process that "dies" between /proc scans and ps
might just happen to be the /proc scan itself...)