RE: Have I been kitted?

From: Tommy McLeod (
Date: 06/13/02

From: Tommy McLeod <>
Date: 13 Jun 2002 15:22:37 +1200

>Checking `lkm'... You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed

Hmmm, Loadable Kernel Modules ... if you cant see it, it tends to be a
bad thing.....

there are many ways to check whether you have been 'root-kitted'

here's a couple of suggestions;

use md5sum on your lsof command (md5sum /usr/sbin/lsof)
run the same thing against your original binary (from the CD)
use lsof (lsof -i tcp and lsof -i udp)
check these against a ps of all processes.

NOTHING should be hidden.

use md5sum on your ps command, then do the same against the original
binary from your install CD.

use netstat to find out what ports "appear" to be open, then check these
against the output from what you got from the last lsof commands .....

If any of these dont tie up, you've been kitted.

LKM kits are much more difficult to detect (you can mess with argv[],
trojan ps, or do some mad stuff like create bad blocks on the disk and
hide files in there ..... )

check out this site for a description of what an LKM kit does .....