LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-05-2004, 08:22 PM   #1
synaptical
Senior Member
 
Registered: Jun 2003
Distribution: Mint 13/15, CentOS 6.4
Posts: 2,020

Rep: Reputation: 46
Exclamation LKM trojan? help!


i just did a chkrootkit on my web server and found:
Code:
Checking `lkm'... You have     4 process hidden for ps command
Warning: Possible LKM Trojan installed
???

i've looked through the logs in /var a little but haven't seen anything that jumps out as really suspicious. what should i do to check this out more and clean it?

----------------------
okay, false alarm i think. i manually compared the contents of the /proc directory with ps ax, and it seems that the processes that are showing up as "hidden" are things like kswapd, ksoftirq, etc. maybe debian boxes are more prone to lkm false alarms, because seaching LQ it seems to be fairly common. sure is a good way to scare a security n00b.

Last edited by synaptical; 03-05-2004 at 08:38 PM.
 
Old 03-05-2004, 09:44 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,564
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
There's a short piece in the Chkrootkit.org FAQ about short-lived processes and how Chkrootkit get's tripped by 'em sometimes. You see it get's the contents of /proc only one time at the start of the check, which then fails when the output from "ps ax" doesn't match up.

LKM's tend to hide stuff. If you want to test for 'em the best way is to run a filesystem integrity scanner on a powered down system, that way nothing can interfere with checking. Of course the database must be verified clean.
Running tools on a live system isn't totally secure, in the sense that output is questionable when a system already was subverted, but there's some tools next to Chkrootkit out there that may help. I'll offer two: Skdet (orig. Debian IIRC) and Chksysmap (Samhain). Skdet checks for signs of the oft used SuckIT rootkit and Chksysmap is a tool to see if syscalls are rerouted. Note the last one won't work on Grsecurity reinforced kernels and where CAP_MOD is disabled.
 
Old 03-06-2004, 01:25 PM   #3
synaptical
Senior Member
 
Registered: Jun 2003
Distribution: Mint 13/15, CentOS 6.4
Posts: 2,020

Original Poster
Rep: Reputation: 46
appreciate! i'm checking them out as we speak. samhain looks awesome, but i can't find skdet. do you mean it's a debian package?

Google
Your search - skdet - did not match any documents.

Suggestions:

- Make sure all words are spelled correctly.
- Try different keywords.
- Try more general keywords.
 
Old 03-07-2004, 08:16 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,564
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
but i can't find skdet. do you mean it's a debian package

Soz. Should be "skdetect" at [URI removed].

Seems "Chksysmap" only exists on my systems too. You'll want "kern_check.c" from http://la-samhna.de/library/rootkits/detect.html :-]


[EDIT]
Apologies. Skdetect != skdet. Skdet seems vanished, but somehow I got the source (dunno from where, all is blank). Anyway, if anyone needs it I have put up a page for skdet containing some background information, .rpm, .src.rpm and .spec. Since the source cannot be verified and is apparently unmaintained: be warned using it, even if I offer it. I do use it, and it performs way better than CRT's chkproc.
[/EDIT]

Last edited by unSpawn; 04-25-2004 at 03:42 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible LKM Trojan Installed Tons of Fun Linux - Security 2 11-07-2005 11:50 PM
Possible LKM Trojan installed gnjohn Linux - Security 1 03-14-2005 11:37 PM
possible LKM trojan installed? PennyroyalFrog Linux - Security 15 01-07-2005 02:28 AM
lkm trojan nullpt Linux - Security 3 12-26-2003 07:42 PM
lkm trojan nullpt *BSD 3 12-25-2003 01:09 AM


All times are GMT -5. The time now is 05:16 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration