Re: LKM Trojan installed

From: Craig Holmes (Leusent@typeoneg.net)
Date: 02/08/03

  • Next message: Brian Hatch: "Re: LKM Trojan installed"
    From: Craig Holmes <Leusent@typeoneg.net>
    To: Nathan Yocom <nate@yocom.org>, focus-linux@securityfocus.com
    Date: Sat, 8 Feb 2003 14:19:14 -0500
    
    

    On February 7, 2003 11:08 pm, Nathan Yocom wrote:
    > If a user was to gain local root priveledges, it is also possible that
    > he/she has loaded/forced a kernel module also. Check your modules
    Although this is very possible, and something you should consider while
    looking for any malicous files or processes, I believe that the message you
    got from chkproc (called by chkrootkit) means it found inconsistancies
    between ps output and your proc filesystem. Cal Peake pointed out that redhat
    hides threads, so I would check your ps/proc first. Although I am not
    completly sure, I believe that if it detects a LKM, that it will report
    processes being hidden by readdir.

    /* Snippet of code */
       if (retdir)
          printf("You have % 5d process hidden for readdir command\n", retdir);
       if (retps)
          printf("You have % 5d process hidden for ps command\n", retps);
    /* Done */

    Craig Holmes