Re: LKM Trojan installed

From: Shawn M. Jones (smj@thresholdoflight.org)
Date: 02/08/03

  • Next message: Dragos Ruiu: "Re: LKM Trojan installed" 
    Date: Sat, 8 Feb 2003 17:37:18 -0500 (EST)
From: "Shawn M. Jones" <smj@thresholdoflight.org>
To: terry white <twhite@aniota.com>

    On Sat, 8 Feb 2003, terry white wrote:

    > on "2-7-2003" "Craig Holmes" writ:
    >
    > : On February 7, 2003 07:41 am, Rivanor P. Soares wrote:
    > : > Checking `lkm'... You have 69 process hidden for ps command
    > : > Warning: Possible LKM Trojan installed
    > : > Could this be *true* ? How can I discover it?
    >
    > : If this is true, then your 'ps' binary has been replaced with one that filters
    > : certain processes from your viewing.
    >
    > : The best, easiest method to determine if this is true,
    >
    > ... i created a directory, copied 'ps' et al to it, and used chattr on
    > them. having a known good binary outside $PATH is something of a comfort
    > ...

    Yes, indeed, but how do you prevent the ps from using a tampered glibc or
    other libs? I usually statically compile a standard set of utilities (ls,
    ps, netstat, chkrootkit, etc.), tar.Z them up (some systems still don't
    have gzip or bzip2) and dump the tools into a working directory on the
    "suspect" system. Then I set my path to utilize that directory during my
    inspection. This limits the toolset such that all I have to worry about
    is a tampered shell.

    Just a suggestion, seeing as the source is so readily available and works
    spectacularly on Linux.

    Sincerely,

    Shawn M. Jones