chkrootkit report : LKM trojan?

chkrootkit report : LKM trojan?

Post by Dominic Mitchel » Thu, 26 Jul 2001 13:23:40



Hi,  

I have chkrootkit installed which I run regularly.  I have a
firewall and I run portsentry and logcheck. I do not leave the
computer online when I am not using the net.

Last night when I close the eth0 interface and ran chkrootkit I
had the following message:

Checking `lkm'... You have     4 process hidden for readdir command
You have     4 process hidden for ps command
Warning: Possible LKM Trojan installed

However,  when I reran chkrootkit,  this warning was not
triggered. How can I further check if there is a problem?

Thanks.

--
Dominic Mitchell

 
 
 

chkrootkit report : LKM trojan?

Post by David Griffit » Fri, 27 Jul 2001 10:08:17



> Hi,

> I have chkrootkit installed which I run regularly.  I have a
> firewall and I run portsentry and logcheck. I do not leave the
> computer online when I am not using the net.

> Last night when I close the eth0 interface and ran chkrootkit I
> had the following message:

> Checking `lkm'... You have     4 process hidden for readdir command
> You have     4 process hidden for ps command
> Warning: Possible LKM Trojan installed

> However,  when I reran chkrootkit,  this warning was not
> triggered. How can I further check if there is a problem?

> Thanks.

Boot of of a clean root/boot disk or live cdrom
mount your filesystems to something such as /dodgy/root
/dodgy/root/usr
and have a poke around
trace the initscripts but dont run them
check if the kernel is bigger than a clean recompile of the same config

 
 
 

chkrootkit report : LKM trojan?

Post by bored with T » Fri, 27 Jul 2001 20:26:35


the other way to check this is to run the chkrootkitt command with a trusted
file system parameter that is mounted after it.

Something like

chkrootkit /cdrom/bin

or whatever. It is described on the site how to do it and a good idea if you
suspect possibly being rooted.

ciao!
D



Quote:

> Hi,

> I have chkrootkit installed which I run regularly.  I have a
> firewall and I run portsentry and logcheck. I do not leave the
> computer online when I am not using the net.

> Last night when I close the eth0 interface and ran chkrootkit I
> had the following message:

> Checking `lkm'... You have     4 process hidden for readdir command
> You have     4 process hidden for ps command
> Warning: Possible LKM Trojan installed

> However,  when I reran chkrootkit,  this warning was not
> triggered. How can I further check if there is a problem?

> Thanks.

> --
> Dominic Mitchell

 
 
 

1. chkrootkit found possible LKM trojan

My Debian linux box was hacked about 2month ago and now I took it offline
and now turned it back on and running chkrootkit on it

This is was I found

-------------------------------------------------------------------
Checking `lkm'... You have     4 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'...
eth0 is not promisc
Checking `wted'... nothing deleted
Checking `z2'...
nothing deleted

---------------------------------------------------

Any idea what this Trojan is and what I should do? I will probably end up
formatting the entrie hard drive but would like to know how the bad guy got
it.

Any ideas?

I noticed /bin/login and /bin/ps had a date that was the same date the box
got hacked into according to the logs.  Could this have been trojaned?
chkrootkit does not indicate that they were replaced.

Any suggestions of where else to look?

.

2. Always IN-2000 scsi hd controller card probs -w- LILO/BOOT in Linux

3. LKM Trojan!? How do I tell?

4. Laserjet 3100 & Ghostview + Linux

5. LKM Trojan: How could it have been installed?

6. Boot from PCMCIA?

7. Chkrootkit-0.23a report question

8. De-Spamming

9. Flash Report: Trojans Sending More Data To Russia

10. chkrootkit error on install

11. chkrootkit: netstat infected?

12. syslogd reporting ip address when reporting remotely

13. Error while installing chkrootkit