Re: LKM Trojan installed

From: Peter Kirby (peter.ml@psychonet.co.uk)
Date: 02/10/03

  • Next message: Chris Ricker: "Re: SSL and Kerberos"
    From: "Peter Kirby" <peter.ml@psychonet.co.uk>
    To: <focus-linux@securityfocus.com>
    Date: Mon, 10 Feb 2003 20:46:24 -0000
    
    

    From: "Nathan Yocom" <nate@yocom.org>
    > If a user was to gain local root priveledges, it is also possible that
    > he/she has loaded/forced a kernel module also. Check your modules
    > directory and files to see what is being loaded (off the network). It
    > could be that ps and /proc agree, but the kernel is not reporting
    > correctly to either (given that a rogue module is loaded). You could
    > also compile a kernel from clean source and boot with it (off the
    > network) then check binaries to be sure they md5 up correctly.

    Not only off network, but boot from a separate boot disk. There is a popular
    rootkit in use now that uses two modules. One of them hides as many
    files/processes as you (well they) want, at the kernel level. The next one
    hides the last loaded module from the modules list. If used well this
    rootkit can go undetected moreso than many others since there would be NO
    outward signs. I can't even remember how I spotted this when it got on one
    of my boxes. But that was how they hid it. They were a bit rubbish in their
    choice of files to hide though IIRC.

    I was lucky in that I found the whole install folder and script they used to
    install the kit and could reverse it all without a re-install. But the best
    advice is to re-install in this kind of event.



    Relevant Pages

    • flashing problems
      ... Some time ago I flashed into the EEPROM e vxWorks image using appupd. ... to be able to boot the kernel and my application from the network... ...
      (comp.os.vxworks)
    • Re: Problems w. Promise SATA300 TX2plus PDC40775
      ... I have a Debian Sarge system with 2.6.8-K7 linux kernel (original kernel from ... Raw IP | Low Level Network Programming ... # ACPI Support ...
      (Debian-User)
    • Presario oops on 2.6.0-test1
      ... the new kernel version. ... but I finally have my network set up at the new ... This laptop is a Compaq Presario model 12XL325 with a 650 MHz Pentium III. ... # ACPI Support ...
      (Linux-Kernel)
    • frustrating problem with networking encountered while installing "Woody"
      ... I'm trying to dual boot an old Pentium box with Debian ... "Woody" and win98. ... time at "configuring network interfaces......" ... do a net install with dhcp using the bf2.4 kernel. ...
      (Debian-User)
    • Re: [RFC][PATCH 0/9] Network receive deadlock prevention for NBD
      ... OpenSSH works with network and unix sockets in parallel, ... kernel services, and the continued well being of the kernel, not ... And even if you will cover all kernel-only network allocations, ... Feel free to implement any receiving policy inside _separated_ allocator ...
      (Linux-Kernel)