Re: LKM Trojan installed

From: Craig Holmes (Leusent@typeoneg.net)
Date: 02/08/03

Next message: Brian Hatch: "Re: LKM Trojan installed"

Previous message: Chris Travers: "IPTables stops logging after long uptime"
In reply to: Nathan Yocom: "Re: LKM Trojan installed"
Next in thread: Peter Kirby: "Re: LKM Trojan installed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Craig Holmes <Leusent@typeoneg.net>
To: Nathan Yocom <nate@yocom.org>, focus-linux@securityfocus.com
Date: Sat, 8 Feb 2003 14:19:14 -0500

On February 7, 2003 11:08 pm, Nathan Yocom wrote:
> If a user was to gain local root priveledges, it is also possible that
> he/she has loaded/forced a kernel module also. Check your modules
Although this is very possible, and something you should consider while
looking for any malicous files or processes, I believe that the message you
got from chkproc (called by chkrootkit) means it found inconsistancies
between ps output and your proc filesystem. Cal Peake pointed out that redhat
hides threads, so I would check your ps/proc first. Although I am not
completly sure, I believe that if it detects a LKM, that it will report
processes being hidden by readdir.

/* Snippet of code */
   if (retdir)
      printf("You have % 5d process hidden for readdir command\n", retdir);
   if (retps)
      printf("You have % 5d process hidden for ps command\n", retps);
/* Done */

Craig Holmes

Next message: Brian Hatch: "Re: LKM Trojan installed"
Previous message: Chris Travers: "IPTables stops logging after long uptime"
In reply to: Nathan Yocom: "Re: LKM Trojan installed"
Next in thread: Peter Kirby: "Re: LKM Trojan installed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]