Bug#334946: chkrootkit: Chkrootkit reports mysql threads in, linux 2.6 as hidden from ps and readdir

[Nolan Andres]

most recently...

# /usr/sbin/chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v -p 3
###
CWD  8924: /var/lib/mysql
EXE  8924: /usr/sbin/mysqld
CWD  8925: /var/lib/mysql
EXE  8925: /usr/sbin/mysqld
CWD  9223: /var/lib/mysql
EXE  9223: /usr/sbin/mysqld
CWD  9249: /var/lib/mysql
EXE  9249: /usr/sbin/mysqld
CWD  9251: /var/lib/mysql
EXE  9251: /usr/sbin/mysqld
CWD  9252: /var/lib/mysql
EXE  9252: /usr/sbin/mysqld
CWD  9253: /var/lib/mysql
EXE  9253: /usr/sbin/mysqld
CWD  9254: /var/lib/mysql
EXE  9254: /usr/sbin/mysqld
CWD  9256: /var/lib/mysql
EXE  9256: /usr/sbin/mysqld
CWD  9257: /var/lib/mysql
EXE  9257: /usr/sbin/mysqld
CWD  9258: /var/lib/mysql
EXE  9258: /usr/sbin/mysqld
CWD  9631: /var/lib/mysql
EXE  9631: /usr/sbin/mysqld
CWD 10257: /var/lib/mysql
EXE 10257: /usr/sbin/mysqld
CWD 10876: /var/lib/mysql
EXE 10876: /usr/sbin/mysqld
CWD 12320: /
EXE 12320: /usr/sbin/clamd
CWD 12984: /var/lib/mysql
EXE 12984: /usr/sbin/mysqld
CWD 13681: /var/lib/mysql
EXE 13681: /usr/sbin/mysqld
SIGINVISIBLE Adore found

# ls /proc/8924/task/
10257  10876  12984  13681  8922  8924  8925  9223  9249  9251  9252 
9253  9254  9256  9257  9258  9631


# cat /proc/8924/cmdline
/usr/sbin/mysqld--basedir=/usr--datadir=/var/lib/mysql--user=mysql--pid-file=/var/run/mysqld/mysqld.pid--skip-locking--port=3306--socket=/var/run/mysqld/mysqld.sock


# cat /proc/12320/cmdline
/usr/sbin/clamd


# ps auxw -T
USER       PID  SPID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1     1  0.0  0.0  1552  488 ?        S    Mar04   0:10 
init [3]
root      8868  8868  0.0  0.1  1652  568 ?        Ss   Mar04   0:14 
/sbin/syslogd
mail      8871  8871  0.0  0.0 11196  476 ?        S    Mar04   0:00 
/etc/rc3.d/S15exact start
root      8878  8878  0.0  0.2  4764 1124 ?        Ss   Mar04   0:00 
/usr/sbin/lwresd
root      8889  8889  0.0  0.1  2628 1036 ?        S    Mar04   0:00 
/bin/sh /usr/bin/mysqld_safe
mysql     8922  8922  0.0  2.6 68604 14052 ?       S    Mar04   0:01 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user
mysql     8922  8924  0.0  2.6 68604 14052 ?       S    Mar04   0:00 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user
mysql     8922  8925  0.0  2.6 68604 14052 ?       S    Mar04   0:00 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user
mysql     8922  9223  0.0  2.6 68604 14052 ?       S    Mar04   0:00 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user
mysql     8922  9249  0.0  2.6 68604 14052 ?       S    Mar04   0:00 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user
mysql     8922  9251  0.0  2.6 68604 14052 ?       S    Mar04   0:00 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user
mysql     8922  9252  0.0  2.6 68604 14052 ?       S    Mar04   0:00 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user
mysql     8922  9253  0.0  2.6 68604 14052 ?       S    Mar04   0:00 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user
mysql     8922  9254  0.0  2.6 68604 14052 ?       S    Mar04   0:00 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user
mysql     8922  9256  0.0  2.6 68604 14052 ?       S    Mar04   0:00 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user
mysql     8922  9257  0.0  2.6 68604 14052 ?       S    Mar04   0:00 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user
mysql     8922  9258  0.0  2.6 68604 14052 ?       S    Mar04   0:00 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user
mysql     8922  9631  0.0  2.6 68604 14052 ?       S    Mar04   0:08 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user
mysql     8922 10257  0.0  2.6 68604 14052 ?       S    Mar04   0:07 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user
mysql     8922 10876  0.0  2.6 68604 14052 ?       S    Mar04   0:08 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user
mysql     8922 12984  0.0  2.6 68604 14052 ?       S    Mar04   0:07 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user
mysql     8922 13681  0.0  2.6 68604 14052 ?       S    Mar04   0:07 
/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user
root      8923  8923  0.0  0.0  1584  440 ?        S    Mar04   0:00 
logger -p daemon.err -t mysqld_safe -i -t mysqld
cyrus     8954  8954  0.0  0.0  2308  276 ?        Ss   Mar04   0:00 
/usr/sbin/pwcheck
spamd     8970  8970  0.0  1.2 24660 6464 ?        Ss   Mar04   0:00 
/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-d
bind      8977  8977  0.0  0.3  4936 1980 ?        Ss   Mar04   0:06 
/usr/sbin/named -u bind
clamav    9006  9006  0.0  3.3 47520 17660 ?       Ss   Mar04   0:03 
/usr/sbin/clamd
clamav    9006 11713  0.2  3.3 47520 17660 ?       Ss   15:01   0:00 
/usr/sbin/clamd
root      9012  9012  0.0  0.0  1768  316 ?        S    Mar04   0:00 
/usr/sbin/courierlogger -pid=/var/run/courier/authdaemon/pid -s
root      9013  9013  0.0  0.1  2440  548 ?        S    Mar04   0:00 
/usr/lib/courier/authlib/authdaemond.mysql
root      9015  9015  0.0  0.1  2488  684 ?        S    Mar04   0:06 
/usr/lib/courier/authlib/authdaemond.mysql
root      9016  9016  0.0  0.1  2488  684 ?        S    Mar04   0:05 
/usr/lib/courier/authlib/authdaemond.mysql
root      9017  9017  0.0  0.1  2568  776 ?        S    Mar04   0:05 
/usr/lib/courier/authlib/authdaemond.mysql
root      9018  9018  0.0  0.1  2488  684 ?        S    Mar04   0:05 
/usr/lib/courier/authlib/authdaemond.mysql
root      9019  9019  0.0  0.1  2488  684 ?        S    Mar04   0:05 
/usr/lib/courier/authlib/authdaemond.mysql
root      9024  9024  0.0  0.0  1884  472 ?        S    Mar04   0:00 
/usr/sbin/couriertcpd -address=0 -stderrlogger=/usr/sbin/courie
root      9026  9026  0.0  0.0  1772  448 ?        S    Mar04   0:00 
/usr/sbin/courierlogger imaplogin
root      9037  9037  0.0  0.0  1884  420 ?        S    Mar04   0:00 
/usr/sbin/couriertcpd -address=0 -stderrlogger=/usr/sbin/courie
root      9039  9039  0.0  0.0  1640  256 ?        S    Mar04   0:00 
/usr/sbin/courierlogger imapd-ssl
root      9045  9045  0.0  0.0  1880  472 ?        S    Mar04   0:02 
/usr/sbin/couriertcpd -pid=/var/run/courier/pop3d.pid -stderrlo
root      9047  9047  0.0  0.0  1772  448 ?        S    Mar04   0:10 
/usr/sbin/courierlogger courierpop3login
root      9058  9058  0.0  0.0  1884  420 ?        S    Mar04   0:00 
/usr/sbin/couriertcpd -pid=/var/run/courier/pop3d-ssl.pid -stde
root      9060  9060  0.0  0.0  1636  256 ?        S    Mar04   0:00 
/usr/sbin/courierlogger pop3d-ssl
Debian-   9205  9205  0.0  0.1  8424  964 ?        Ss   Mar04   0:02 
/usr/sbin/exim4 -bd -q30m
root      9211  9211  0.0  0.0  1592  332 ?        Ss   Mar04   0:00 
/usr/sbin/inetd
list      9224  9224  0.0  0.3  8304 1716 ?        Ss   Mar04   0:00 
/usr/bin/python /usr/lib/mailman/bin/mailmanctl -s start
list      9231  9231  0.0  0.9  8716 5060 ?        S    Mar04   0:01 
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=ArchRunne
root      9232  9232  0.0  0.1  3624  728 ?        Ss   Mar04   0:00 
/usr/sbin/sshd
list      9234  9234  0.0  0.8  8340 4580 ?        S    Mar04   0:01 
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=BounceRun
list      9235  9235  0.0  0.4  8324 2232 ?        S    Mar04   0:01 
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=CommandRu
list      9236  9236  0.0  0.8  8368 4684 ?        S    Mar04   0:01 
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=IncomingR
list      9237  9237  0.0  0.4  8220 2240 ?        S    Mar04   0:01 
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=NewsRunne
list      9238  9238  0.0  0.8  8356 4424 ?        S    Mar04   0:01 
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=OutgoingR
list      9239  9239  0.0  0.8  8348 4268 ?        S    Mar04   0:01 
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=VirginRun
list      9240  9240  0.0  0.4  8212 2200 ?        S    Mar04   0:00 
/usr/bin/python /var/lib/mailman/bin/qrunner --runner=RetryRunn
daemon    9244  9244  0.0  0.0  1808  308 ?        Ss   Mar04   0:00 
/usr/sbin/atd
root      9247  9247  0.0  0.1  1868  732 ?        Ss   Mar04   0:00 
/usr/sbin/cron
root     12663 12663  0.0  0.4 12032 2464 ?        Ss   Mar05   0:00 
/usr/sbin/apache2 -k start -DSSL
www-data 12736 12736  0.0  1.5 17132 8100 ?        S    Mar05   0:04 
/usr/sbin/apache2 -k start -DSSL
www-data 12738 12738  0.0  1.5 19072 8216 ?        S    Mar05   0:04 
/usr/sbin/apache2 -k start -DSSL
www-data 12739 12739  0.0  1.5 17616 8272 ?        S    Mar05   0:05 
/usr/sbin/apache2 -k start -DSSL
www-data  2752  2752  0.0  1.4 17844 7452 ?        S    Mar05   0:04 
/usr/sbin/apache2 -k start -DSSL
www-data 25004 25004  0.0  1.6 20424 8392 ?        S    Mar05   0:06 
/usr/sbin/apache2 -k start -DSSL
www-data 15007 15007  0.0  1.4 17852 7520 ?        S    Mar05   0:06 
/usr/sbin/apache2 -k start -DSSL
www-data 18874 18874  0.0  1.6 17556 8644 ?        S    Mar05   0:06 
/usr/sbin/apache2 -k start -DSSL
www-data 19758 19758  0.0  1.4 17668 7700 ?        S    Mar05   0:02 
/usr/sbin/apache2 -k start -DSSL
www-data 19759 19759  0.0  1.5 20308 8024 ?        S    Mar05   0:04 
/usr/sbin/apache2 -k start -DSSL
www-data  5437  5437  0.0  1.4 17496 7652 ?        S    Mar05   0:03 
/usr/sbin/apache2 -k start -DSSL
spamd    10145 10145  0.0  3.3 26340 17672 ?       S    14:53   0:00 
spamd child
spamd    10381 10381  0.0  3.4 26400 18192 ?       S    14:55   0:00 
spamd child
spamd    10409 10409  0.2  3.5 26616 18580 ?       S    14:55   0:00 
spamd child
spamd    10495 10495  0.0  3.4 26232 17848 ?       S    14:56   0:00 
spamd child
spamd    10737 10737  0.0  1.0 24660 5436 ?        S    14:58   0:00 
spamd child
root     11392 11392  0.0  0.3 14604 1908 ?        Ss   15:00   0:00 
sshd: [EMAIL PROTECTED]/0
root     11419 11419  0.0  0.2  2700 1484 pts/0    Ss   15:00   0:00 -bash
root     11752 11752  0.0  0.1  2608  884 pts/0    R+   15:01   0:00 ps 
auxw -T


...hope that's helpful...


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]