Debian Bug report logs - #457828
chkrootkit: Killing a random PID with an arbitrary signal to test whether it is a trojan is extremely unpolite

version graph

Package: chkrootkit; Maintainer for chkrootkit is Giuseppe Iuculano <iuculano@debian.org>; Source for chkrootkit is src:chkrootkit.

Reported by: Tim Connors <reportbug@rather.puzzling.org>

Date: Wed, 26 Dec 2007 11:18:13 UTC

Severity: critical

Merged with 421864

Found in version chkrootkit/0.47-1.1

Fixed in versions chkrootkit/0.48-2, chkrootkit/0.47-2

Done: Francois Marier <francois@debian.org>

Bug is archived. No further changes may be made.

Forwarded to Nelson Murilo <nelson@pangeia.com.br>

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, lantz moore <lmoore@debian.org>:
Bug#457828; Package chkrootkit. Full text and rfc822 format available.

Acknowledgement sent to Tim Connors <reportbug@rather.puzzling.org>:
New Bug report received and forwarded. Copy sent to lantz moore <lmoore@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Tim Connors <reportbug@rather.puzzling.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: chkrootkit: Killing a random PID with an arbitrary signal to test whether it is a trojan is extremely unpolite
Date: Wed, 26 Dec 2007 22:16:20 +1100
Package: chkrootkit
Version: 0.47-1.1
Severity: critical
Justification: breaks unrelated software

In testing for the Enye LKM, chkrootkit sends signal 58 to PID 12345.
This has a chance of hitting any one process of 1/32767.  On the
system I am typing this on in its current state, I have 350 processes
running, and it is not currently busy, so that's 1/100 chance of
hitting a process by random.

If the system is up for a while, and I run chkrootkit in a daily
cronjob, I can expect a random process to be sent signal 58 once every
100 days or so.

The other day, it killed gnuplot_x11, which I only noticed once I read
my mail saying chkrootkit had "Enye LKM found".  It certainly
explained why a script of mine got confused, and I could tell it had
killed gnuplot_x11 because it was still in a zombie state, having not
yet been reaped by gnuplot, and it was running as pid 12345.  There
are reports on the net of it killing other processes.

That signal number is not documented in 'man 7 signal', so I guess
it's not likely anything would install a signal handler than could
deal with 58.  Presumably chkrootkit is hoping that signal would be
rejected by the kernel as invalid, but that assumption is invalid
today:

$ sleep 1000 &
[1] 19277
$ kill -58 19277
[1]+  Real-time signal 24     sleep 1000
$

Incidentally, the documentation of the tests in chkproc.c needs a lot
of work: 'man 2 kill' doesn't describe kill as ever being able to
return a positive error value, but of course it must, because I got
the "Enye LKM found" message.  It took me a while to work out that
that code was trying to do anything other than detect for the presence
of pid 12345.  Perhaps the signals it is sending could be better
documented, as to the test for the error return value, and indeed the
prevous test for the Adobe LKM, using an errno magic number instead of
symbolic name.  And why it sends signal 100 to init first without
testing the result.



-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.23 (SMP w/2 CPU cores)
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages chkrootkit depends on:
ii  binutils            2.18.1~cvs20071027-2 The GNU assembler, linker and bina
ii  debconf [debconf-2. 1.5.17               Debian configuration management sy
ii  libc6               2.7-5                GNU C Library: Shared libraries
ii  net-tools           1.60-19              The NET-3 networking toolkit
ii  procps              1:3.2.7-5            /proc file system utilities

chkrootkit recommends no packages.

-- debconf information:
  chkrootkit/run_daily: false
  chkrootkit/run_daily_opts: -q
  chkrootkit/diff_mode: false




Information forwarded to debian-bugs-dist@lists.debian.org, lantz moore <lmoore@debian.org>:
Bug#457828; Package chkrootkit. Full text and rfc822 format available.

Acknowledgement sent to Matt Taggart <taggart@debian.org>:
Extra info received and forwarded to list. Copy sent to lantz moore <lmoore@debian.org>. Full text and rfc822 format available.

Message #10 received at 457828@bugs.debian.org (full text, mbox):

From: Matt Taggart <taggart@debian.org>
To: 457828@bugs.debian.org
Subject: chkrootkit: Enye LKM signal
Date: Sun, 16 Mar 2008 19:37:36 -0700
I can confirm this bug in 0.47-1.1 and it's also in upstream 0.48. Here's 
the code from chkproc

   /* Check for Enye LKM */
   if (kill (12345, 58) >= 0)
   {
      printf("Enye LKM found\n");
      retdir+= errno;
   }

I agree it's a bad idea.

-- 
Matt Taggart
taggart@debian.org






Merged 421864 457828. Request was from Matt Taggart <taggart@debian.org> to control@bugs.debian.org. (Mon, 17 Mar 2008 02:51:03 GMT) Full text and rfc822 format available.

Reply sent to Francois Marier <francois@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Tim Connors <reportbug@rather.puzzling.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 457828-close@bugs.debian.org (full text, mbox):

From: Francois Marier <francois@debian.org>
To: 457828-close@bugs.debian.org
Subject: Bug#457828: fixed in chkrootkit 0.48-2
Date: Mon, 21 Apr 2008 11:17:03 +0000
Source: chkrootkit
Source-Version: 0.48-2

We believe that the bug you reported is fixed in the latest version of
chkrootkit, which is due to be installed in the Debian FTP archive:

chkrootkit_0.48-2.diff.gz
  to pool/main/c/chkrootkit/chkrootkit_0.48-2.diff.gz
chkrootkit_0.48-2.dsc
  to pool/main/c/chkrootkit/chkrootkit_0.48-2.dsc
chkrootkit_0.48-2_amd64.deb
  to pool/main/c/chkrootkit/chkrootkit_0.48-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 457828@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Francois Marier <francois@debian.org> (supplier of updated chkrootkit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 21 Apr 2008 22:41:11 +1200
Source: chkrootkit
Binary: chkrootkit
Architecture: source amd64
Version: 0.48-2
Distribution: unstable
Urgency: high
Maintainer: Francois Marier <francois@debian.org>
Changed-By: Francois Marier <francois@debian.org>
Description: 
 chkrootkit - rootkit detector
Closes: 234469 347879 402477 406493 411128 426068 436626 457828 466967 469724
Changes: 
 chkrootkit (0.48-2) unstable; urgency=high
 .
   * Remove check for Enye LKM, which was causing unrelated
     software to die, hence the urgency (closes: #457828)
   * Improve layout of main manpage (closes: #469724)
   * Remove stripping in the upstream Makefile (closes: #436626)
   * Add errors messages when commands are not found (closes: #347879)
   * Fix shell history anomaly (closes: #402477)
   * New option to exclude false positives from the list of reported
     dotfiles (closes: #406493, #426068)
   * Rename /proc/ksyms to /proc/kallsyms on 2.6 kernels (closes: #411128)
   * Fix NFS-skipping -n option (closes: #234469)
   * Debconf templates and debian/control reviewed by the debian-l10n-
     english team as part of the Smith review project. (closes: #466967)
Checksums-Sha1: 
 4f6af1cbe30f03dd76f563a7882006adebdaaffd 1161 chkrootkit_0.48-2.dsc
 d6d6cdb52671e51a0fb8243bf9f862fe68f3764e 26810 chkrootkit_0.48-2.diff.gz
 3b0542bfeba955187811a193b7612c192c036993 295908 chkrootkit_0.48-2_amd64.deb
Checksums-Sha256: 
 dd05f908758950d752fc4a950070b2670edcf22f7ec4a68483c47281881d64a1 1161 chkrootkit_0.48-2.dsc
 f1e25e9680ec5eb9596e1efff12454fd271d9a46605cd27105d3d26be1a3f0fd 26810 chkrootkit_0.48-2.diff.gz
 9d910ccacc9e705a8264f05a5a30a54ecbddbe857b5e3fa3deffedb05e6fa5f9 295908 chkrootkit_0.48-2_amd64.deb
Files: 
 1fbd98edd42d2a7099403ac43e9a0d72 1161 misc optional chkrootkit_0.48-2.dsc
 cb31e97e7d55181b3dde3d6687c61eca 26810 misc optional chkrootkit_0.48-2.diff.gz
 91ba6d5d6f40a3ae2189e0ec22a8620a 295908 misc optional chkrootkit_0.48-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIDHBYScUZKBnQNIYRAr6KAKCU4Nm85ahMXSG7MLRc+NjY+UGg8gCfaCpU
eFuQGZBisxZY9uA74R5BWF0=
=nBA3
-----END PGP SIGNATURE-----





Reply sent to Francois Marier <francois@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Chris Withers <chris@simplistix.co.uk>:
Bug acknowledged by developer. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Francois Marier <francois@debian.org>:
Bug#457828; Package chkrootkit. Full text and rfc822 format available.

Acknowledgement sent to Christian Kujau <lists@nerdbynature.de>:
Extra info received and forwarded to list. Copy sent to Francois Marier <francois@debian.org>. Full text and rfc822 format available.

Message #27 received at 457828@bugs.debian.org (full text, mbox):

From: Christian Kujau <lists@nerdbynature.de>
To: 457828@bugs.debian.org
Cc: francois@debian.org
Subject: on detecting Enye LKM
Date: Sun, 27 Apr 2008 00:00:52 +0200 (CEST)
Hi,

while reading #457828 I wanted to find out more about this Enye LKM
and stumbled over another method to check for this particular rootkit.

How about:
http://www.binrev.com/forums/index.php?showtopic=19617&st=0&p=217399&#entry217399

Thanks,
Christian.
-- 
BOFH excuse #304:

routing problems on the neural net




Reply sent to Francois Marier <francois@debian.org>:
You have marked Bug as forwarded. Full text and rfc822 format available.

Message #30 received at 457828-forwarded@bugs.debian.org (full text, mbox):

From: Francois Marier <francois@debian.org>
To: Nelson Murilo <nelson@pangeia.com.br>
Cc: 457828-forwarded@bugs.debian.org
Subject: Fwd: on detecting Enye LKM
Date: Sun, 27 Apr 2008 11:17:05 +1200
Hi Nelson,

A Debian user found the following way to detect the Enye LKM rootkit module:

  http://www.binrev.com/forums/index.php?showtopic=19617&st=0&p=217399&#entry217399

Perhaps it could be useful for you.

Cheers,
Francois




Reply sent to Francois Marier <francois@debian.org>:
You have marked Bug as forwarded. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Aug 2008 07:29:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 02:05:47 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.