Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-01-2007, 06:50 AM
|
#1
|
Member
Registered: Aug 2004
Posts: 296
Rep:
|
Eliminating Trojan in Debian etch
I installed Debian etch the other day and installed Guarddog. I just ran chkrootkit and it said it found "Possible LKM Trojan installed".
Can someone tell me a Debian etch program to eliminate it?
Thanks for your help.
|
|
|
04-01-2007, 08:02 AM
|
#2
|
LQ Guru
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594
|
If there's actually a trojan there, rootkithunter might get rid of it. You should be aware that *if* in fact it is a trojan, it may have already corrupted other software/binaries. If this is a fresh install, the chances of it being a trojan are less. There are after all false positives, depending on the OS and configuration.
Run rootkithunter (google 'rkhunter') and/or another rootkit scanner and see if it comes up with the same findings. If you are convinced it is a trojan, it may be wise to reinstall fresh if possible, to eliminate the small chance that the system is compromised, and as soon as the install is done, run and configure your rootkit scanner(s) so you have a baseline to compare to on future scans.
I still get a 'possible rootkit' report from one place on my system, but it isn't a trojan.
Finally, you might just try recompiling the kernel modules after a 'mrproper' and see if the issue is still there, but this is not a sure cure, if it *is* a trojan.
|
|
|
04-01-2007, 08:45 AM
|
#3
|
Member
Registered: Aug 2004
Posts: 296
Original Poster
Rep:
|
I just ran rthunter and it came back clean so it probably is a false positive.
Thanks for your help.
|
|
|
04-02-2007, 02:03 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
A few corrections and additions if I may...
If there's actually a trojan there, rootkithunter might get rid of it.
No, RKH won't. Chkrootkit, Rootkit Hunter and OSSEC.* are (AFAIK) *passive* audit tools. It means they only pick up symptoms after the event ocurred. They're not "cleaners".
If this is a fresh install, the chances of it being a trojan are less. There are after all false positives, depending on the OS and configuration.
With all due respect, but next time it would be better to *explain* why. The first thing to resolve a question like this would be to look at the Chkrootkit FAQ. I *know* "chkproc" FP's are mentioned there. Or if you would search this forum you would have seen this question has been answered before as well. You shouldn't run another tool immediately after the alert but *understand* what's happening and why (short-lived processes).
Run rootkithunter (google 'rkhunter') and/or another rootkit scanner and see if it comes up with the same findings. If you are convinced it is a trojan, it may be wise to reinstall fresh if possible, to eliminate the small chance that the system is compromised, and as soon as the install is done, run and configure your rootkit scanner(s) so you have a baseline to compare to on future scans.
RKH is at rkhunter.sourceforge.net. There aren't that many other rootkit scanners that are actively developed, supported and maintained, only ones I know are Chkrootkit, Rootkit Hunter, OSSEC and Zeppoo. You should raise the firewall and kill all *services* after a fresh install and run audit tools like Tiger and a *file integrity checker* (Aide, Samhain, etc, etc) instead to get a baseline.
I still get a 'possible rootkit' report from one place on my system, but it isn't a trojan.
Then figure out what it is and report it to the maintainers so they can fix it.
Finally, you might just try recompiling the kernel modules after a 'mrproper' and see if the issue is still there, but this is not a sure cure, if it *is* a trojan.
The most efficient way would be to boot a Live CD and check.
Of course this doesn't go well with boxen in colo ;-p
|
|
|
All times are GMT -5. The time now is 03:08 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|