RE: Have I been kitted?

From: Tommy McLeod (tommy.mcleod@vuw.ac.nz)
Date: 06/13/02


From: Tommy McLeod <tommy.mcleod@vuw.ac.nz>
To: focus-linux@securityfocus.com
Date: 13 Jun 2002 15:22:37 +1200


>Checking `lkm'... You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed

Hmmm, Loadable Kernel Modules ... if you cant see it, it tends to be a
bad thing.....

there are many ways to check whether you have been 'root-kitted'

here's a couple of suggestions;

use md5sum on your lsof command (md5sum /usr/sbin/lsof)
run the same thing against your original binary (from the CD)
use lsof (lsof -i tcp and lsof -i udp)
check these against a ps of all processes.

NOTHING should be hidden.

use md5sum on your ps command, then do the same against the original
binary from your install CD.

use netstat to find out what ports "appear" to be open, then check these
against the output from what you got from the last lsof commands .....

If any of these dont tie up, you've been kitted.

LKM kits are much more difficult to detect (you can mess with argv[],
trojan ps, or do some mad stuff like create bad blocks on the disk and
hide files in there ..... )

check out this site for a description of what an LKM kit does .....

http://it.rising.com.cn/safety/safetyschool/ywyb/020129lkm.htm



Relevant Pages

  • Re: etch to lenny upgrade - X apps no longer see keystrokes?
    ... lsof $ ... COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME ... Did you run this in single user mode, or did you deliberately kill dbus? ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: [opensuse] zypper/rpm tricks question
    ... negative hits with the "lsof | grep DEL" command? ... When you issue the command zypper ps, you get a list of processes ... from a system with no deleted libraries in use: ...
    (SuSE)
  • Re: Unknown ports
    ... > lsof | grep LISTEN ... Wrong command. ... clearly that you are running a NFS server. ... And there is still the problem with port 32768: ...
    (comp.os.linux.misc)
  • Chkroot: possible LKM Trojan
    ... getting messages suggesting that I have been infected by the LKM ... You have 1 process hidden for readdir command ... My intrusion detection system ...
    (comp.os.linux.security)
  • Re: chkrootkit found possible LKM trojan
    ... Debian, 2month ago, chkrootkit. ... You have 4 process hidden for ps command ... >Any idea what this Trojan is and what I should do? ... Best two popular LKM rootkit are adore and knark. ...
    (comp.os.linux.security)