Re: LKM Trojan installed

From: Zow (zow@llnl.gov)
Date: 02/07/03

  • Next message: Cal Peake: "Re: LKM Trojan installed" 
    To: leusent@typeoneg.net
Date: Fri, 07 Feb 2003 14:32:57 -0800
From: "Zow" Terry Brugger <zow@llnl.gov>

    > which isnt backdoored. Only problem with this is, once it is on your
    > potentially infected box, its output can no longer be trusted, as one of
    > those 69 processes could maim the output of your new ps, not to mention how
    > easily a kernel backdoor [LKM, kernel patch (hard or /dev/kmem)]could to do.

    Very true. As such, your best bet, if you're up for it, is to get a bootable
    Linux CD (I prefer Knoppix myself), boot off of that, mount your harddrive in
    readonly (ro) mode and compare the binary signatures (MD5s) of your
    executables (esp. common ones like ps and ls) to their published values. If
    you have a rpm based system like RedHat you can get this information from the
    rpm used to install the command, like this:

    $ rpm -qp --dump fileutils-4.1.11-5mdk.rpm | grep '/bin/ls'
    /bin/ls 69708 1030538378 c133e0cf49bce7a65dd3e9d80eb190b2 0100755 root root 0
    0 0 X
    $ md5sum /bin/ls
    c133e0cf49bce7a65dd3e9d80eb190b2 /bin/ls

    See how the 4th field there matches the output of md5sum? That's what you
    want to see. If you don't see that, you've got problems. (Note that this is
    from my live system -- if you've booted from CD and have your hard drive
    mounted as /hd, you'll want to test /hd/bin/ls and compare that to the rpm
    md5 for /bin/ls .)

    I imagine that there are some good guides on the web to doing this sort of
    forensic analysis, so do a little searching. In the end, the best thing you
    can probably do is get your data off the system, figure out how they got in,
    then wipe the system, reinstall, and patch your system so it doesn't happen
    again. :-(

    Good luck!
    Terry

    import standard.disclaimer;

    Relevant Pages

    • Re: Audio Tachometer for 2 stroke engine
      ... dead accurate RPM measurement and is in use now by other similar products, ... shaft or flywheel to directly make the measurement. ... The groundrules for using this device is that a single boat on the water is ... >>>of deriving the required rpm data with which to compare that obtained ...
      (sci.electronics.design)
    • Re: Vista:Slow and Dangerous
      ... It was MOLASSES slow compared to my iMac 1.83GHZ/1 gig of ram/160gig 7200 RPM HD ATI X1600. ... Come back when you want to compare apples to apples. ... Sorry Zara, these two machines are pretty comparable. ... Both are using mobile Core Duo processors, both are using 7200 RPM hard drives. ...
      (comp.sys.mac.advocacy)
    • Re: How does rpm command compare 2 rpm files version?
      ... > But could you please tell me where can I find the offical rules of rpm ... simple so any reasonable ordering algorithm would work. ... the boundaries of the segments are found using ... digit segments strip leading zeroes and compare the strlen before ...
      (comp.os.linux.development.system)
    • Re: comfused about how to compare laptops
      ... A faster disk should improve the performance of any laptop, ... Some are available with a 7200 rpm drive. ... so how to compare? ...
      (comp.sys.laptops)
    • Re: upgrade glibc disaster
      ... You said "rpm does not crash". ... He has a rescue CD. ... which Peter might have been able to tell you about if he were not ... this tells rpm to use that mount point as if it were the / of the ...
      (alt.os.linux)