Re: rooted ?

From: Pat Parrinello (security_at_txbs.net)
Date: 09/11/04

  • Next message: hawk82: "Re: rooted ?"
    To: Jason Rusch <kerberos_daemon@infosec-rusch.com>, focus-linux@securityfocus.com
    Date: Sat, 11 Sep 2004 08:45:17 -0500
    
    

    On Thursday 09 September 2004 07:21, Jason Rusch wrote:
    > Sorry if this is not the correct forum,

      Boot with a CD rescue disk, mount the suspect / and
     ls -alR /{mount point}/lib

      Compare what you see to the same listing (ls -alR /lib)
      in noramal running and IF you see some nasty goodies,
      congraduations; you are owned.

      No known (by me) scanner, intrusion detector can find it. You have
      to look first hand using a clean (rescue) running system.

      MM

       

    >
    > Curious a day or so after a up2date on a fedora 2 system, I noticed very
    > sluggish behavior. After checking obvious things such as netstat, du,
    > nmaping it from another machine and checking ps commands thoroughly I found
    > nothing abnormal. I then moved onto running a few rootkit scanners, all
    > showed cleaned (for what its worth of course), I used both the tarball and
    > rpm chkrootkit and scanned my machine with both.
    >
    > The strange part is, is that the one ran from source showed everything to
    > be ok, the rpm showed 23-35 hidden processes, possible LKM rootkit
    > installed. now after running the cmd " /usr/lib/chkrootkit-0.43/chkproc -v"
    > I found the processes within the /proc and checked the status/info on all.
    > they were all sleeping process from application I run all the time
    > (evolution, mozilla, nautilus ). I booted the machine in init3 and without
    > X and I didnt have this problem.
    >
    > The machine normally boots in init5, now if I start X then the problem
    > arises, now I dont know if this is the right forum, but I would not think
    > that I am rooted (optimistically said) and this is some weird iissue from
    > an update. 1 more note all the hidden processes were owned and ran under
    > my user account. Any input from anyone would be great. and no I didnt get
    > Tripwire installed or record a MD5sum record ooopps
    >
    > anyway just a day or so ago I read somewhere there may be a latency time
    > diff. between the threads that are running and the chrootkit detection thus
    > causing the discrepancy?


  • Next message: hawk82: "Re: rooted ?"