Re: LKM Trojan installed

From: Zow (zow@llnl.gov)
Date: 02/19/03

  • Next message: Brian Hatch: "Re: entropy + openSSL question" 
    To: "Rivanor P. Soares" <rivanor@bol.com.br>
Date: Wed, 19 Feb 2003 13:47:49 -0800
From: "Zow" Terry Brugger <zow@llnl.gov>

    Rivanor,

    > 1) I am not running multi-threaded process (process threads).

    Not that you know of, but some applications or daemons that you run may be
    multi-threaded without your knowledge, see the next response however.

    > 2) While I was running chkrootkit-0.39a:
    > Checking `lkm'... You have 54 process hidden for ps command
    > 3) Seeing process:
    > At /proc : 52 process, too

    I agree with the response that noted that it looks like chkrootkit wasn't
    using ps properly.

    > 4) There are no new open ports listening.

    Did you test that from a different machine using something like nmap? If
    you're relying on netstat, it may have been trojaned.

    > 5) And, is this *normal* ?
    > [root@localhost /]# lsattr -d /proc/
    > lsattr: Inappropriate ioctl for device While reading flags on /proc/

    As others noted, yes.

    > 6) Modules are being loaded are usual, nothing that I don't want.

    Again, like netstat, if you have a LKM rootkit on your system, it would hide
    itself from lsmod.

    > 7) Unfortunately, I don't have access, yet, to a CD like Knoppix. :(

    Well then head on over to http://www.knoppix.org/ and start dl'ing -- unless
    your bandwidth or lack of a CD writer prohibits that, in which case that site
    has a list of vendors you can order it from. In the US, you shouldn't have to
    pay more than $10 shipped.

    > 8) I probably gonna try the way: boot up the system with a 'clear'
    > kernel (no modules).
    >
    > Thanks in advance, again...

    Good luck!
    Terry

    USE standard_disclaimer

    Relevant Pages

    • Re: Suse 9.2 personal
      ... > response. ... cutting and pasting a little tricky, so i will try and type the netstat -r ... The ifconfig is obvioulsy bigger ...
      (alt.os.linux.suse)
    • Re: Intermittent TS connectivity problems
      ... In regards to firewall and netstat, ... couple questions that I just posted in a response to Jeff. ...
      (microsoft.public.windows.terminal_services)
    • Re: I WANT MY FP2000 BACK
      ... "it's your fault" response. ... What other applications do I have. ... There IS a cavalier attitude here. ... Alex ...
      (microsoft.public.frontpage.client)
    • Re: Open Excel Document
      ... The first part of your response (unchecking ... I have another issue I have posted before but have not received a response. ... Applications" is checked, then uncheck it. ... This refreshes the registry entries for Excel. ...
      (microsoft.public.excel.misc)
    • Why are todays apps sluggish?
      ... But I think this topic deserves its own thread, ... In 1996 I wrote apps in D1, ... Applications now are often a hundred times larger in compiled binaries, ... absolute immediate response and absolutely no flicker. ...
      (borland.public.delphi.non-technical)