Re: LKM Trojan installed

From: Zow (zow@llnl.gov)
Date: 02/07/03

  • Next message: Cal Peake: "Re: LKM Trojan installed"
    To: leusent@typeoneg.net
    Date: Fri, 07 Feb 2003 14:32:57 -0800
    From: "Zow" Terry Brugger <zow@llnl.gov>
    
    

    > which isnt backdoored. Only problem with this is, once it is on your
    > potentially infected box, its output can no longer be trusted, as one of
    > those 69 processes could maim the output of your new ps, not to mention how
    > easily a kernel backdoor [LKM, kernel patch (hard or /dev/kmem)]could to do.

    Very true. As such, your best bet, if you're up for it, is to get a bootable
    Linux CD (I prefer Knoppix myself), boot off of that, mount your harddrive in
    readonly (ro) mode and compare the binary signatures (MD5s) of your
    executables (esp. common ones like ps and ls) to their published values. If
    you have a rpm based system like RedHat you can get this information from the
    rpm used to install the command, like this:

    $ rpm -qp --dump fileutils-4.1.11-5mdk.rpm | grep '/bin/ls'
    /bin/ls 69708 1030538378 c133e0cf49bce7a65dd3e9d80eb190b2 0100755 root root 0
    0 0 X
    $ md5sum /bin/ls
    c133e0cf49bce7a65dd3e9d80eb190b2 /bin/ls

    See how the 4th field there matches the output of md5sum? That's what you
    want to see. If you don't see that, you've got problems. (Note that this is
    from my live system -- if you've booted from CD and have your hard drive
    mounted as /hd, you'll want to test /hd/bin/ls and compare that to the rpm
    md5 for /bin/ls .)

    I imagine that there are some good guides on the web to doing this sort of
    forensic analysis, so do a little searching. In the end, the best thing you
    can probably do is get your data off the system, figure out how they got in,
    then wipe the system, reinstall, and patch your system so it doesn't happen
    again. :-(

    Good luck!
    Terry

    import standard.disclaimer;