LKM trojan? help!
i just did a chkrootkit on my web server and found:
Code:
Checking `lkm'... You have 4 process hidden for ps command i've looked through the logs in /var a little but haven't seen anything that jumps out as really suspicious. what should i do to check this out more and clean it? ---------------------- okay, false alarm i think. :o :D i manually compared the contents of the /proc directory with ps ax, and it seems that the processes that are showing up as "hidden" are things like kswapd, ksoftirq, etc. maybe debian boxes are more prone to lkm false alarms, because seaching LQ it seems to be fairly common. sure is a good way to scare a security n00b. :p |
There's a short piece in the Chkrootkit.org FAQ about short-lived processes and how Chkrootkit get's tripped by 'em sometimes. You see it get's the contents of /proc only one time at the start of the check, which then fails when the output from "ps ax" doesn't match up.
LKM's tend to hide stuff. If you want to test for 'em the best way is to run a filesystem integrity scanner on a powered down system, that way nothing can interfere with checking. Of course the database must be verified clean. Running tools on a live system isn't totally secure, in the sense that output is questionable when a system already was subverted, but there's some tools next to Chkrootkit out there that may help. I'll offer two: Skdet (orig. Debian IIRC) and Chksysmap (Samhain). Skdet checks for signs of the oft used SuckIT rootkit and Chksysmap is a tool to see if syscalls are rerouted. Note the last one won't work on Grsecurity reinforced kernels and where CAP_MOD is disabled. |
appreciate! i'm checking them out as we speak. samhain looks awesome, but i can't find skdet. do you mean it's a debian package?
Your search - skdet - did not match any documents. Suggestions: - Make sure all words are spelled correctly. - Try different keywords. - Try more general keywords. |
but i can't find skdet. do you mean it's a debian package
Soz. Should be "skdetect" at [URI removed]. Seems "Chksysmap" only exists on my systems too. You'll want "kern_check.c" from http://la-samhna.de/library/rootkits/detect.html :-] [EDIT] Apologies. Skdetect != skdet. Skdet seems vanished, but somehow I got the source (dunno from where, all is blank). Anyway, if anyone needs it I have put up a page for skdet containing some background information, .rpm, .src.rpm and .spec. Since the source cannot be verified and is apparently unmaintained: be warned using it, even if I offer it. I do use it, and it performs way better than CRT's chkproc. [/EDIT] |
All times are GMT -5. The time now is 01:10 PM. |