LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 12-21-2003, 04:41 AM   #1
cxel91a
Member
 
Registered: May 2001
Posts: 61

Rep: Reputation: 15
Possible LKM Trojan install kernel 2.6.0


This is on Redhat 9.0

I'm looking for some guidance as to determine if I have a problem or false alarm.
I download the kernel 2.6.0 from kernel.org. Verified the gpg signature for both the kernel and mod-utils package.

Every thing works fine, but when I run chkrootkit I get the following:

Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have 6 process hidden for readdir command
You have 6 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... Checking `w55808'... not infected

After reading about what the problem might be, I tried to query the /bin/ls file using rpm tool.
For some reason it was telling me my db was not accessible and the file didn't not belong to a package.
I rebooted the system in rescue mode and force installed the coreutilits package.
I booted to the original kernel 2.4.20 and ran chkrootkit again. With the original kernel the LKM warning did not show up, but when I booted into 2.6.0 I have the same message.

Anyone else having the same problem?
 
Old 12-21-2003, 05:09 AM   #2
DaHammer
Member
 
Registered: Oct 2003
Location: Planet Earth
Distribution: Slackware, LFS
Posts: 561

Rep: Reputation: 30
Just tried it on my 2.6.0, didn't find a thing.
Quote:
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... Checking `w55808'... not infected
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... nothing deleted
 
Old 12-21-2003, 07:08 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Checking `lkm'... You have 6 process hidden for readdir command
This message comes from the chkproc binary.
Code:
]$ grep -a readdir /usr/local/sbin/chkproc 
/proc/%dPID %5d: not in readdir output
You have % 5d process hidden for readdir command
Chkproc checks "ps" output with process dirs in /proc.
Some processes are shortlived and die before chkproc can check 'em.
Then chkproc shows an error.

If you want to doublecheck, you could rerun Chkrootkit with the "lkm" test, or run "check_ps". If there's a secondary indication (from running a filesystem integrity scanner for instance) that indicates tampering, then you could be looking at a Linux Kernel Module (LKM). Isolating the box from the network by dropping to runlevel 1 and then checking syscall diversion (kern_check: see Samhain site) could be one option, but hard powering off the box, booting a kernel from a rescue cdr/floppy and then checking the filesystem (in read-only mode) is better. Granted, you loose checking active processes, but if there's malicious activity chances to find it are "better" on a dead system because then system calls can't be redirected.


After reading about what the problem might be, I tried to query the /bin/ls file using rpm tool.
For some reason it was telling me my db was not accessible and the file didn't not belong to a package. I rebooted the system in rescue mode and force installed the coreutilits package.

With all due respect, but reinstall until it works, that's "MICROS~1" behaviour.
Besides that, if there's a system compromise you most likely do not want to delete "evidence": kill the system, then check.


"Just tried it on my 2.6.0, didn't find a thing."
Wrt errors there's always two distinctly different issues to focus on: troubleshooting Chkrootkit and its binaries, and determining system status. If you don't know what to contribute an error to, please be cautious. It's "better" to have to check and know system status is OK than to ignore it.
 
Old 12-21-2003, 04:27 PM   #4
cxel91a
Member
 
Registered: May 2001
Posts: 61

Original Poster
Rep: Reputation: 15
Thanks for the reply. I've been trying to compile checkps, but no luck so far. I haven't tried Samhain package,but will get to it soon. I tried to manually compare the output from the ps command to that of the /proc dir. With the exception of two processess that exits, everything else matches up.

My next step is to recompile the kernel to see if I get the same results.
 
Old 12-23-2003, 07:06 PM   #5
cxel91a
Member
 
Registered: May 2001
Posts: 61

Original Poster
Rep: Reputation: 15
Well, I have downloaded and compiled kernel 2.6.0 about 3 times again. I get the same LKM warning when running chkrootkit under kernel 2.6.0. Again, no warning under 2.4.20. I've downloaded and install Samhain. Hopefully, this will make a difference if there is a problem. Thanks again for the info.
 
Old 12-23-2003, 07:42 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Could you run "strace -v -o /tmp/chkproc.strace chkproc 2>&1|tee /tmp/chkproc.log" on the 2.6.0, zap your hostname from the logs, and email me both files (as a tarball plz)?
 
Old 01-09-2004, 05:57 PM   #7
katmai90210
Member
 
Registered: Nov 2003
Location: Romania
Distribution: Redhat Linux , Fedora & SuSe
Posts: 46

Rep: Reputation: 15
i think you should get the ps precompiled binaries and socklist and netstat from a clean machine .. and i guess you should check if you are running samba ... as far as i know that's the only vuln in rh9 to get root ...
 
Old 12-13-2010, 05:01 PM   #8
R03L
Member
 
Registered: Feb 2008
Location: Emmen
Distribution: mepis, ubuntu server ed. Debian. Redhat. Fedora, centos, LFS
Posts: 214

Rep: Reputation: 31
I had the same messages.
Code:
Warning: Possible LKM Trojan installed
so i checked some arrount the system.
Code:
uname -r
2.6.35.9-64.fc14.x86_64
Code:
sudo rm /dev/shm/*
the were some mono files whit my hostname in it my uname in it and the word fileshare
so than i remove them
when mono pops-up to reinstall its plugin i accept.

because rkrootkid did not say anything.

so checked again whit chkrootkit version 0.49
messages gone

Code:
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
 
Old 12-13-2010, 06:19 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Please don't resurrect dead threads (this one's been dead for almost seven years).

Help us keep LQSEC as zombie-free as possible.
 
0 members found this post helpful.
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible LKM Trojan Installed Tons of Fun Linux - Security 2 11-07-2005 11:50 PM
possible LKM trojan installed? PennyroyalFrog Linux - Security 15 01-07-2005 02:28 AM
LKM trojan? help! synaptical Linux - Security 3 03-07-2004 08:16 AM
lkm trojan nullpt Linux - Security 3 12-26-2003 07:42 PM
lkm trojan nullpt *BSD 3 12-25-2003 01:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration