Have I been kitted?

From: Terry Browning (terry@nihil.demon.co.uk)
Date: 06/09/02

• Previous message: Averroes: "Time Stamp Server under Linux"
• Next in thread: Lim Ghee Lam: "Re: Have I been kitted?"
• Reply: Lim Ghee Lam: "Re: Have I been kitted?"
• Reply: Matthew Thompson: "RE: Have I been kitted?"
• Reply: Hans-Joachim Picht: "Re: Have I been kitted?"
• Reply: Willi Dyck: "Re: Have I been kitted?"
• Reply: Matthew Berg: "Re: Have I been kitted?"
• Reply: Patrick Andry: "Re: Have I been kitted?"
• Reply: Ben Boulanger: "Re: Have I been kitted?"
• Reply: Tommy McLeod: "RE: Have I been kitted?"
• Reply: Matthew Berg: "Re: Have I been kitted?"
• Reply: Muhammad Faisal Rauf Danka: "Re: Have I been kitted?"
• Reply: Matthew Berg: "Re: Have I been kitted?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Terry Browning <terry@nihil.demon.co.uk>
To: focus-linux@securityfocus.com
Date: 09 Jun 2002 12:19:57 +0100

Maybe it's my paranoia, but I've been adding a few tools to my system
recently, and I've had a small panic as a result.

Using chkrootkit:

Checking `lkm'... You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed

Should I panic and if so, how much?

Also, `nmap -sS -p 1-65535 127.0.0.1` says:
8000/tcp open unknown
8200/tcp open unknown
10000/tcp open unknown

and `nmap -sS -P0 -p 1-65535 <my ppp0 ipaddress>` says:
All 65535 scanned ports on (...) are: filtered

Is that a good sign? Has nmap been fooled by an LKM? Have I wasted time
chasing my tail?

What is the best strategy for dealing with an LKM kit? Reinstall linux
from CD or try to remove it?

---

• Previous message: Averroes: "Time Stamp Server under Linux"
• Next in thread: Lim Ghee Lam: "Re: Have I been kitted?"
• Reply: Lim Ghee Lam: "Re: Have I been kitted?"
• Reply: Matthew Thompson: "RE: Have I been kitted?"
• Reply: Hans-Joachim Picht: "Re: Have I been kitted?"
• Reply: Willi Dyck: "Re: Have I been kitted?"
• Reply: Matthew Berg: "Re: Have I been kitted?"
• Reply: Patrick Andry: "Re: Have I been kitted?"
• Reply: Ben Boulanger: "Re: Have I been kitted?"
• Reply: Tommy McLeod: "RE: Have I been kitted?"
• Reply: Matthew Berg: "Re: Have I been kitted?"
• Reply: Muhammad Faisal Rauf Danka: "Re: Have I been kitted?"
• Reply: Matthew Berg: "Re: Have I been kitted?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: My machine compromised? ... > Warning: Possible LKM Trojan installed ... noflushd: A running noflushd and a 2.2 kernel may cause chkrootkit to ... about the presence of lkm. ... (Debian-User) Re: chkrootkit.0.41 problem ... the latest version of chkrootkit. ... instruction you are suggesting, I include the code I modified so you ... Warning: Possible LKM Trojan installed ... (comp.os.linux.security) Re: chkroot warning ... Thanks for all the replies, I did a chkrootkit -x lkm as was suggested in ... I don't know why nscd is running. ... > This is from the Mandrake list, but it also pertains to the lkm trojan, ... (comp.os.linux.security) Re: chkrootkit hidden processes possible LKM Trojan. ... Adam Hardy wrote: ... First one asks chkrootkit why it thinks there is an LKM Trojan on the system. ... Second one is the helper script run by chkrootkit that lists the hidden processes but can be run directly. ... (Debian-User) Re: chkrootkit.0.41 problem ... >Can I repair it? ... LKM testing looks ... for process IDs that don't jibe between /proc and ps, ... less chkrootkit and search for oops... ... (comp.os.linux.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-linux  > 2002-06