Re: LKM Trojan installed
From: Robert Jaroszuk (zim@tx.pl)
Date: 02/07/03
- Previous message: Craig Holmes: "Re: LKM Trojan installed"
- In reply to: Rivanor P. Soares: "LKM Trojan installed"
- Next in thread: Toby Miller: "RE: LKM Trojan installed"
- Reply: Toby Miller: "RE: LKM Trojan installed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 7 Feb 2003 23:06:54 +0100 From: Robert Jaroszuk <zim@tx.pl> To: "Rivanor P. Soares" <rivanor@bol.com.br>
On Fri, 07 Feb 2003, Rivanor P. Soares wrote:
; While running 'chkrootkit' at my box (RH 7.3) I saw the following:
;
; Checking `lkm'... You have 69 process hidden for ps command
; Warning: Possible LKM Trojan installed
;
; Could this be *true* ? How can I discover it?
First of all - disconnect from network.
Second - copy your logs and all system files to another device (CD, or
hard disk, whatever).
Then - when you've made copy of whole system, try to verify packages: rpm -Va
Look at /proc and compare existing processes to this, what shows you ps.
Check if there are any backdoors in your system - new open ports, new
suid files, modified daemons, libraries, files with chattr +i, or
everything suspicious.
And remember - write everything you're doing (see script(1))!
-- ............. Robert Jaroszuk - zim<at>tx<dot>pl ............. GCS/IT/O d? s: a-- C++ ULB++++$ P+ L++++$ E--- W- N+ w-- O- M- V- PS+ PE Y(+) PGP-(+++) t-- 5? X- R* tv-- DI++ b++>+++ DI- D- ... The superior warrior wins without fighting -- Sun Tzu. ...
- Next message: Zow: "Re: LKM Trojan installed"
- Previous message: Craig Holmes: "Re: LKM Trojan installed"
- In reply to: Rivanor P. Soares: "LKM Trojan installed"
- Next in thread: Toby Miller: "RE: LKM Trojan installed"
- Reply: Toby Miller: "RE: LKM Trojan installed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
