Re: LKM Trojan installed

From: Craig Holmes (Leusent@typeoneg.net)
Date: 02/07/03

  • Next message: Robert Jaroszuk: "Re: LKM Trojan installed"
    From: Craig Holmes <Leusent@typeoneg.net>
    To: "Rivanor P. Soares" <rivanor@bol.com.br>, focus-linux@securityfocus.com
    Date: Fri, 7 Feb 2003 16:40:20 -0500
    
    

    On February 7, 2003 07:41 am, Rivanor P. Soares wrote:
    > Checking `lkm'... You have 69 process hidden for ps command
    > Warning: Possible LKM Trojan installed
    >
    > Could this be *true* ? How can I discover it?
    If this is true, then your 'ps' binary has been replaced with one that filters
    certain processes from your viewing.
    The best, easiest method to determine if this is true, is to change
    directories to your /proc filesystem, and manually compare the PID
    corresponding directories to the PIDs you see in your ps output. If you
    notice extra PIDs (which you will quickly notice if you infact have 69 hidden
    processes), then you should enter their corresponding directories and analize
    the information within, to see if the process is malicous.
    If manually comparing your proc filesystem to your ps output seems like a
    duanting task, you could try downloading a fresh ps binary to your box, one
    which isnt backdoored. Only problem with this is, once it is on your
    potentially infected box, its output can no longer be trusted, as one of
    those 69 processes could maim the output of your new ps, not to mention how
    easily a kernel backdoor [LKM, kernel patch (hard or /dev/kmem)]could to do.

            Craig Holmes