Re: LKM Trojan installed

• Previous message: Seth Arnold: "Re: entropy + openSSL question"
• Maybe in reply to: Rivanor P. Soares: "LKM Trojan installed"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Rivanor P. Soares" <rivanor@bol.com.br>
Date: Wed, 19 Feb 2003 13:47:49 -0800
From: "Zow" Terry Brugger <zow@llnl.gov>

Rivanor,

> 1) I am not running multi-threaded process (process threads).

Not that you know of, but some applications or daemons that you run may be
multi-threaded without your knowledge, see the next response however.

> 2) While I was running chkrootkit-0.39a:
> Checking `lkm'... You have 54 process hidden for ps command
> 3) Seeing process:
> At /proc : 52 process, too

I agree with the response that noted that it looks like chkrootkit wasn't
using ps properly.

> 4) There are no new open ports listening.

Did you test that from a different machine using something like nmap? If
you're relying on netstat, it may have been trojaned.

> 5) And, is this *normal* ?
> [root@localhost /]# lsattr -d /proc/
> lsattr: Inappropriate ioctl for device While reading flags on /proc/

As others noted, yes.

> 6) Modules are being loaded are usual, nothing that I don't want.

Again, like netstat, if you have a LKM rootkit on your system, it would hide
itself from lsmod.

> 7) Unfortunately, I don't have access, yet, to a CD like Knoppix. :(

Well then head on over to http://www.knoppix.org/ and start dl'ing -- unless
your bandwidth or lack of a CD writer prohibits that, in which case that site
has a list of vendors you can order it from. In the US, you shouldn't have to
pay more than $10 shipped.

> 8) I probably gonna try the way: boot up the system with a 'clear'
> kernel (no modules).
>
> Thanks in advance, again...

Good luck!
Terry

USE standard_disclaimer

• Next message: Brian Hatch: "Re: entropy + openSSL question"
• Previous message: Seth Arnold: "Re: entropy + openSSL question"
• Maybe in reply to: Rivanor P. Soares: "LKM Trojan installed"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Suse 9.2 personal ... > response. ... cutting and pasting a little tricky, so i will try and type the netstat -r ... The ifconfig is obvioulsy bigger ... (alt.os.linux.suse) Re: Intermittent TS connectivity problems ... In regards to firewall and netstat, ... couple questions that I just posted in a response to Jeff. ... (microsoft.public.windows.terminal_services) Re: I WANT MY FP2000 BACK ... "it's your fault" response. ... What other applications do I have. ... There IS a cavalier attitude here. ... Alex ... (microsoft.public.frontpage.client) Why are todays apps sluggish? ... But I think this topic deserves its own thread, ... In 1996 I wrote apps in D1, ... Applications now are often a hundred times larger in compiled binaries, ... absolute immediate response and absolutely no flicker. ... (borland.public.delphi.non-technical) Task unit properties ... Let me preface my response by saying that I'm not far ... applications along each step of the process. ... Review complete applications and separate out those not ... each batch covered, say, 100 applicants. ... (microsoft.public.project)