LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-01-2007, 06:50 AM   #1
Linux31
Member
 
Registered: Aug 2004
Posts: 296

Rep: Reputation: 30
Eliminating Trojan in Debian etch


I installed Debian etch the other day and installed Guarddog. I just ran chkrootkit and it said it found "Possible LKM Trojan installed".

Can someone tell me a Debian etch program to eliminate it?

Thanks for your help.
 
Old 04-01-2007, 08:02 AM   #2
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 556Reputation: 556Reputation: 556Reputation: 556Reputation: 556Reputation: 556
If there's actually a trojan there, rootkithunter might get rid of it. You should be aware that *if* in fact it is a trojan, it may have already corrupted other software/binaries. If this is a fresh install, the chances of it being a trojan are less. There are after all false positives, depending on the OS and configuration.
Run rootkithunter (google 'rkhunter') and/or another rootkit scanner and see if it comes up with the same findings. If you are convinced it is a trojan, it may be wise to reinstall fresh if possible, to eliminate the small chance that the system is compromised, and as soon as the install is done, run and configure your rootkit scanner(s) so you have a baseline to compare to on future scans.
I still get a 'possible rootkit' report from one place on my system, but it isn't a trojan.
Finally, you might just try recompiling the kernel modules after a 'mrproper' and see if the issue is still there, but this is not a sure cure, if it *is* a trojan.
 
Old 04-01-2007, 08:45 AM   #3
Linux31
Member
 
Registered: Aug 2004
Posts: 296

Original Poster
Rep: Reputation: 30
I just ran rthunter and it came back clean so it probably is a false positive.

Thanks for your help.
 
Old 04-02-2007, 02:03 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
A few corrections and additions if I may...

If there's actually a trojan there, rootkithunter might get rid of it.
No, RKH won't. Chkrootkit, Rootkit Hunter and OSSEC.* are (AFAIK) *passive* audit tools. It means they only pick up symptoms after the event ocurred. They're not "cleaners".


If this is a fresh install, the chances of it being a trojan are less. There are after all false positives, depending on the OS and configuration.
With all due respect, but next time it would be better to *explain* why. The first thing to resolve a question like this would be to look at the Chkrootkit FAQ. I *know* "chkproc" FP's are mentioned there. Or if you would search this forum you would have seen this question has been answered before as well. You shouldn't run another tool immediately after the alert but *understand* what's happening and why (short-lived processes).



Run rootkithunter (google 'rkhunter') and/or another rootkit scanner and see if it comes up with the same findings. If you are convinced it is a trojan, it may be wise to reinstall fresh if possible, to eliminate the small chance that the system is compromised, and as soon as the install is done, run and configure your rootkit scanner(s) so you have a baseline to compare to on future scans.
RKH is at rkhunter.sourceforge.net. There aren't that many other rootkit scanners that are actively developed, supported and maintained, only ones I know are Chkrootkit, Rootkit Hunter, OSSEC and Zeppoo. You should raise the firewall and kill all *services* after a fresh install and run audit tools like Tiger and a *file integrity checker* (Aide, Samhain, etc, etc) instead to get a baseline.


I still get a 'possible rootkit' report from one place on my system, but it isn't a trojan.
Then figure out what it is and report it to the maintainers so they can fix it.


Finally, you might just try recompiling the kernel modules after a 'mrproper' and see if the issue is still there, but this is not a sure cure, if it *is* a trojan.
The most efficient way would be to boot a Live CD and check.
Of course this doesn't go well with boxen in colo ;-p
 
  


Reply

Tags
debian, etch, rootkit, trojan


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
update Debian testing etch RC1 to etch stable cccc Debian 11 01-08-2007 11:02 PM
Dual boot Debian Etch and XP with GRUB - Debian installed First - one HDD bence8810 Debian 11 01-07-2007 11:45 AM
which one to d/l for debian etch? greythorne Debian 8 07-27-2005 03:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:08 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration