Re: Have I been kitted?

From: Willi Dyck (wdyck@gmx.net)
Date: 06/12/02


Date: Wed, 12 Jun 2002 22:30:34 +0200
From: Willi Dyck <wdyck@gmx.net>
To: focus-linux@securityfocus.com


On Sun, Jun 09, 2002 at 12:19:57PM +0100, Terry Browning did this all over the keyboard:
> Maybe it's my paranoia, but I've been adding a few tools to my system
> recently, and I've had a small panic as a result.
>
> Using chkrootkit:
>
> Checking `lkm'... You have 1 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> Should I panic and if so, how much?

It depends. Does chkrootkit complain about this everytime you run it? If
so, I'd panic. I had the same output some weeks ago, and it turned out,
that it must have been some ordinary process running between the two
checks that are performed by chkproc. It compares the output of 'ps'
against /proc/$PID where $PID is the PID of every process currently
runnig. So if it happens that some ordinary process gets started between
those two checks, chkrootkit will complain about it.
As I run chkrootkit after it manually, this complain disappeard.

Check your IDS. Check against your backups. Put some tools like ps,
ifconfig, netstat, lsof, ls, find etc from a secure source on a floppy
and run them.

If you can't be 100% sure your box is clean, reinstall!

> Also, `nmap -sS -p 1-65535 127.0.0.1` says:
> 8000/tcp open unknown
> 8200/tcp open unknown
> 10000/tcp open unknown
>
> and `nmap -sS -P0 -p 1-65535 <my ppp0 ipaddress>` says:
> All 65535 scanned ports on (...) are: filtered
>
> Is that a good sign? Has nmap been fooled by an LKM? Have I wasted time
> chasing my tail?

No idea on this, sorry.

> What is the best strategy for dealing with an LKM kit? Reinstall linux
> from CD or try to remove it?

Well, how critical is this machine? Just a home machine, I'd try to
remove it just for fun. If not, reinstall.

HTH, regards

Willi

-- 
never offend people with style when you can
offend them with substance.
			--Sam Brown




Relevant Pages

  • Re: chkrootkit and 4.10-prerelease issues?
    ... I've received a number of replies stating others have the same ... reading the manual and seeing how to fix this or just reinstall it. ... and my nightly chkrootkit reports this on run. ... : report as infected. ...
    (FreeBSD-Security)
  • Re: chkrootkit says "find" and "top" are infected
    ... > Pro may give false positives with chkrootkit but nothing quite like what ... reinstall the affected programs. ...
    (alt.os.linux.suse)
  • Re: chkrootkit & suse 9.1 pro
    ... chkrootkit has problems with 2.6 kernels, ... nptl-threads. ... it will generate falls positives and complain about hidden ...
    (alt.os.linux.suse)