Re: LKM Trojan installed

From: Rivanor P. Soares (rivanor@bol.com.br)
Date: 02/13/03

  • Next message: Stephen Samuel: "Re: openSSL Key generation" 
    Date: Wed, 12 Feb 2003 22:16:00 -0200
From: "Rivanor P. Soares" <rivanor@bol.com.br>
To: focus-linux@securityfocus.com

    Answering some sugestions made for some in the list:

    1) I am not running multi-threaded process (process threads). 

    -- 
2) While I was running chkrootkit-0.39a:
Checking `ps'... not infected
...
Checking `lkm'... You have    54 process hidden for ps command
Warning: Possible LKM Trojan installed
-- 
3) Seeing process:
[root@localhost chkrootkit-0.39a]# ps ax
   PID TTY      STAT   TIME COMMAND
     1 ?        S      0:04 init [3]
     2 ?        SW     0:00 [keventd]
...
  4881 pts/0    S      0:00 bash
  4917 pts/0    S      0:00 vim rootkit
  4918 pts/1    R      0:00 ps ax
Total: 52
At /proc : 52 process, too
-- 
4) There are no new open ports listening.
-- 
5) And, is this *normal* ?
[root@localhost /]# lsattr -d /proc/
lsattr: Inappropriate ioctl for device While reading flags on /proc/
-- 
6) Modules are being loaded are usual, nothing that I don't want.
-- 
7) Unfortunately, I don't have access, yet, to a CD like Knoppix. :(
-- 
8) I probably gonna try the way: boot up the system with a 'clear'
kernel (no modules).
Thanks in advance, again...
Rivanor.