[SGVLUG] False positive?: "LKM Trojan Installed"
David Lawyer
dave at lafn.org
Tue Oct 17 23:23:59 PDT 2006
On Mon, Oct 16, 2006 at 03:26:00PM -0700, Emerson, Tom wrote:
> > -----Original Message----- Of David Lawyer
> >
> > When my cron jobs run, ... I get email reports
> > ... that a possible LKM Trojan was installed.
> [...]
> > per what I saw on the Internet, chkproc can make a mistake
> > since it takes a snapshot of both the output of "ps" and the
> > list of processes in the /proc/ directory.
> [...]
> > So since chkproc take a snapshot of the output of ps and the
> > list of processes in /proc at slightly different times,
> > there's supposedly a possibility of an error since a process
> > may be born or die while the chkproc is gathering the info
> > (including the time ps is gathering it info, etc.).
>
> Yes, this is often referred to as a "race" condition -- some data may
> change state between system calls, and there is very little you can do
> about it.
[snip]
>
> Back to the original comment, "...a possible LKM was installed..." -- do
> you regularly get this "report", or is it intermittent?
Don't know since I seldom actually read the emails I get from cron jobs.
And I've set most of the "daily" cron jobs to run every 3 days to save CPU
power. I'll now start reading future ones and find out if it repeats.
Just now looked at another new email report and no LKM problem reported.
So I suppose that it's intermittent.
> If this happens every time the process runs, then that points more
> towards a real threat (then again, it could be a side effect of
> taking the measurement in the first place, i.e., the process that
> "dies" between /proc scans and ps might just happen to be the /proc
> scan itself...)
David Lawyer
More information about the SGVLUG
mailing list