Re: LKM Trojan installed

From: Systems Administrator (sysadmin@sunet.com.au)
Date: 02/09/03

  • Next message: Jon Evans: "Re: IPTables stops logging after long uptime" 
    From: "Systems Administrator" <sysadmin@sunet.com.au>
To: <leusent@typeoneg.net>, "Rivanor P. Soares" <rivanor@bol.com.br>, <focus-linux@securityfocus.com>
Date: Mon, 10 Feb 2003 09:54:08 +1100

    > On February 7, 2003 07:41 am, Rivanor P. Soares wrote:
    > > Checking `lkm'... You have 69 process hidden for ps command
    > > Warning: Possible LKM Trojan installed
    > >
    > > Could this be *true* ? How can I discover it?
    > If this is true, then your 'ps' binary has been replaced with one that
    filters
    > certain processes from your viewing.
    > The best, easiest method to determine if this is true, is to change
    > directories to your /proc filesystem, and manually compare the PID
    > corresponding directories to the PIDs you see in your ps output. If you

        If it's an LKM trojan, they wouldn't show up in /proc, would they?

    > notice extra PIDs (which you will quickly notice if you infact have 69
    hidden
    > processes), then you should enter their corresponding directories and
    analize
    > the information within, to see if the process is malicous.
    > If manually comparing your proc filesystem to your ps output seems like a
    > duanting task, you could try downloading a fresh ps binary to your box,
    one
    > which isnt backdoored. Only problem with this is, once it is on your
    > potentially infected box, its output can no longer be trusted, as one of
    > those 69 processes could maim the output of your new ps, not to mention
    how
    > easily a kernel backdoor [LKM, kernel patch (hard or /dev/kmem)]could to
    do.

        The theory on this is that you need to boot off a clean filesystem (cf.
    Knoppix), and then use the clean boot to analyse the filesystems on the
    compromised box. I don't know enough to help you with analysis, though.

        Thanks,

    Tim Nelson
    Systems Administrator
    Sunet Internet
    Tel: +61 3 5241 1155
    Fax: +61 3 5241 6187
    Web: http://www.sunet.com.au/
    Email: sysadmin@sunet.com.au

    Relevant Pages

    • Re: LKM Trojan installed
      ... and manually compare the PID ... corresponding directories to the PIDs you see in your ps output. ... notice extra PIDs (which you will quickly notice if you infact have 69 hidden ... easily a kernel backdoor could to do. ...
      (Focus-Linux)
    • Re: df showing 100% used, when du shows only 20% being used.
      ... that has file handles open on that filesystem. ... even if the file has been "deleted", hold open space in that filesystem ... This will show you the PIDs of any process that has a presence in that ... If you can stop (and if necessary restart) those processes, ...
      (RedHat)
    • Re: parse PIDs from fuser to ps
      ... currently I experience some problem with utilization of /tmp filesystem ... on hp-ux machine. ... The filesystem is being occupied usually from 5 to 7 ... When one uses fuser -cu /tmp the output consists of PIDs in one line ...
      (comp.unix.shell)
    • how to log what processes are skating on the filesystem ?
      ... currently I experience some problem with utilization of /tmp filesystem ... on hp-ux machine. ... The filesystem is being occupied usually from 5 to 7 ... When one uses fuser -cu /tmp the output consists of PIDs in one line ...
      (comp.unix.questions)
    • parse PIDs from fuser to ps
      ... currently I experience some problem with utilization of /tmp filesystem ... on hp-ux machine. ... The filesystem is being occupied usually from 5 to 7 ... When one uses fuser -cu /tmp the output consists of PIDs in one line ...
      (comp.unix.shell)