From: ZEKI CATAV (zcatav@isnet.net.tr)
Date: Thu 29 Jan 2004 - 09:01:03 EST
> Merhaba,
> Yakin donemde bir upgrade [apt-get upgrade] islemi yaptiysaniz sizin
de
> sisteminize sash yuklenmis olabilir. sash hakkinda tek ogrenebildigim
> guvenli(?) bir kabuk oldugu. apt-get --purge remove sash ile bu
sashroot
> hesabindan kurtulabilirsiniz.
>
> > Rootkit ara=3DFEt=3DFDrmas=3DFD raporunda a=3DFEa=3DF0=3DFDdaki
sat=3DFDr=
>
> lar yer al=3DFDy=3D
>
> > or.
> > Checking `lkm'... You have 4 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> >=20
> > Bu ger=3DE7ekten bir trojan m=3DFD? =3DD6yleyse neden login
>
> LKM ile ilgili boyle bir bug uzun sure once rapor edilmis.=20
> chkrootkit -x lkm yazdiginizda gelen surec numaralari 0-6 arasinda
ise
> bu bug'dan kaynaklaniyor.=20
>
http://www.mail-archive.com/debian-security@lists.debian.org/msg10982.html
>
> Burdan ilgili bug raporlarinin adreslerini de bulabilirsiniz.
>
> Iyi calismalar...
Merhaba,
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
PID 3: not in ps output
CWD 3: /
EXE 3: /
PID 4: not in ps output
CWD 4: /
EXE 4: /
PID 5: not in ps output
CWD 5: /
EXE 5: /
PID 6: not in ps output
CWD 6: /
EXE 6: /
You have 4 process hidden for ps command
# apt-get --purge remove sash
Reading Package Lists... Done
Building Dependency Tree... Done
The following packages will be REMOVED:
harden* harden-environment* sash*
0 packages upgraded, 0 newly installed, 3 to remove and 237 not
upgraded.
Need to get 0B of archives. After unpacking 698kB will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 96128 files and directories currently installed.)
Removing harden ...
Purging configuration files for harden ...
Removing harden-environment ...
Removing sash ...
Purging configuration files for sash ...
Yukarıda her iki islemin dokumu var. LKM sanirim söylediginiz gibi bug
tanimina uyuyor.
sash (stand alone shell) sisteme harden ve harden-enviroment ile
yüklenmis gorunuyor. Kpackage ile sash yuklu gorunmuyordu. Her uc paketi
silerek sashroot'tan kurtuldum. Ama iyi mi oldu bilmiyorum.
Ilginize tesekkurler..
-- Zeki Çatav <zcatav@isnet.net.tr> TYIH KVC -- Attached file included as plaintext by Ecartis -- -- File: signature.asc -- Desc: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQBAGRIewG+IQbLwIJ8RAozWAJ90yl26sKXRz7bWtBAKnexlfqtw/ACfUtFj Nzf4pq5cRuYQRUnrUrscHC4= =eKIP -----END PGP SIGNATURE----- --- linux-baslangic listesinden cikmak ve tum listeci islemleri icin http://liste.linux.org.tr/ adresini kullanabilirisniz. Bu listeden cikmak icin <a href="mailto:linux-baslangic-request@liste.linux.org.tr?Subject=unsubscribe"> tiklayiniz</a>