chkrootkit and LKM?

From: Janus N. (janus_at_bananus.dk)
Date: 06/16/03

Next message: Ali-Reza Anghaie: "Re: chkrootkit and LKM?"

Previous message: Valdis.Kletnieks_at_vt.edu: "Re: Help with identifying scan/attack"
Next in thread: Ali-Reza Anghaie: "Re: chkrootkit and LKM?"
Reply: Ali-Reza Anghaie: "Re: chkrootkit and LKM?"
Reply: Tim Greer: "Re: chkrootkit and LKM?"
Reply: Nathan Dornquast: "Re: chkrootkit and LKM?"
Reply: Guille -bisho-: "Re: chkrootkit and LKM?"
Reply: Adam Sampson: "Re: chkrootkit and LKM?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: incidents@securityfocus.com
Date: 16 Jun 2003 16:59:21 +0200

I using a RHL9 as my workstation. A few days ago I downloaded chkrootkit
and it consistently gives the same output (>20 hidden processes) when
checking for LKM rootkit:

Checking `lkm'... You have 38 process hidden for readdir command
Warning: Possible LKM Trojan installed

This is even after reboots. How can I check if this is actually the work
of the LKM? Or any other rootkit for that matter?

Regards,
Janus N. Tøndering

-- 
Janus N. Tøndering <janus@bananus.dk>
----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Ali-Reza Anghaie: "Re: chkrootkit and LKM?"

Previous message: Valdis.Kletnieks_at_vt.edu: "Re: Help with identifying scan/attack"
Next in thread: Ali-Reza Anghaie: "Re: chkrootkit and LKM?"
Reply: Ali-Reza Anghaie: "Re: chkrootkit and LKM?"
Reply: Tim Greer: "Re: chkrootkit and LKM?"
Reply: Nathan Dornquast: "Re: chkrootkit and LKM?"
Reply: Guille -bisho-: "Re: chkrootkit and LKM?"
Reply: Adam Sampson: "Re: chkrootkit and LKM?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: chkrootkit and LKM?
... > and it consistently gives the same output (>20 hidden processes) when ... > checking for LKM rootkit: ... > Warning: Possible LKM Trojan installed ... War is evil, but it is often the lesser evil. ...
(Incidents)
Re: Help, my machine has been hacked
... >>Presumably this is absolutely no use at all against an LKM rootkit? ... > anything was not detected by chkrootkit (so any hidden processes also). ... LKM trojan, as unless you're lucky enough that the trojanned binary gives ...
(comp.os.linux.security)
Re: Help, my machine has been hacked
... >>> Yes, it protects you only from changed ps binary, but OP said, that ... >>> anything was not detected by chkrootkit (so any hidden processes ... > I thought about following situation: chkrootkit isn't complaining about ... Not if the LKM is filtering what ...
(comp.os.linux.security)
Re: rooted ?
... > be ok, the rpm showed 23-35 hidden processes, possible LKM rootkit ... I had a similar report of chkrootkit on a server-only machine. ...
(Focus-Linux)