Re: chkrootkit and LKM?
From: Blade Runner (blade_at_seven.com.br)
Date: 06/17/03
- Previous message: Tim Recher: "Re: Wierd Profile in Document Settings"
- In reply to: Ali-Reza Anghaie: "Re: chkrootkit and LKM?"
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: chkrootkit and LKM?"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: chkrootkit and LKM?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 17 Jun 2003 16:47:52 -0300 (BRT) To: incidents@securityfocus.com
You can try booting your server with knoppix ( http://www.knoppix.org ), and
look for hidden files.
If possible, do not allow Loadable module support , maybe this can avoid
future problems with lkm.
I am not sure if building a new kernel works. But if you have good results
with that, tell me.
Sorry about the porr English.
[]'s
> On Monday 16 June 2003 10:59, Janus N. wrote:
>> I using a RHL9 as my workstation. A few days ago I downloaded chkrootkit
>> and it consistently gives the same output (>20 hidden processes) when
>> checking for LKM rootkit:
>>
>> Checking `lkm'... You have 38 process hidden for readdir command
>> Warning: Possible LKM Trojan installed
>>
>> This is even after reboots. How can I check if this is actually the work
>> of the LKM? Or any other rootkit for that matter?
>
> What does "chkrootkit -x lkm" return? If anything...
>
> If it shows PIDs you'll want to hunt through /proc manually for those
> processes.
>
> Cheers, -Ali
>
> --
> OpenPGP Key: 030E44E6
> --
> Was I helpful?: http://svcs.affero.net/rm.php?r=packetknife
> --
> War is evil, but it is often the lesser evil. -- George Orwell
>
-- Blade Runner - Squirrel Mail Linux Powered ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
- Previous message: Tim Recher: "Re: Wierd Profile in Document Settings"
- In reply to: Ali-Reza Anghaie: "Re: chkrootkit and LKM?"
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: chkrootkit and LKM?"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: chkrootkit and LKM?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
