LKM and chkrootkit

To: UCLUG <uclug@uclug.org>
Cc: deb-user <debian-user@lists.debian.org>
Subject: LKM and chkrootkit
From: Charles Baker <rascharles@yahoo.com>
Date: Tue, 6 Aug 2002 15:12:57 -0700 (PDT)
Message-id: <[🔎] 20020806221257.67202.qmail@web14606.mail.yahoo.com>

I got a warning from my daily run of chkrootkit
yesterday

Checking `lkm'... You have     4 process hidden for \
readdir command
You have     4 process hidden for ps command
Warning: Possible LKM Trojan installed

I haven't taken down the box yet, because I was
investigating and there's no real sensitive data on
there. Has anyone seen this before? Today's output of
chkrootkit did not give the same warning. I don't see
any other signs of tampering, except that I probably
got DOS'ed, or at least apache went down in the wee
hours this morning and I didn't notice until I got to
work, and had to start it when I came home for lunch.
The log files aren't missing, but I don't yet know if
they have been altered. Suggestions for forensics
anyone? After Tai Chi class, I think I'll check into
the coroner's toolkit.

http://www.porcupine.org/forensics/tct.html

http://www.chkrootkit.org/

=====
rascharles@yahoo.com
http://www.charleshbaker.com/~chb/
Hacking is a "Good Thing!"
See http://www.tuxedo.org/~esr/faqs/hacker-howto.html

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

Reply to:

Follow-Ups:
- Re: [UCLUG] LKM and chkrootkit
  - From: Steve Phillips <stevep@infosvcgrp.com>

Prev by Date: Re: Can't get fs recognized as ext3
Next by Date: Re: Is there an apt-get install log?
Previous by thread: Re: enlightenment menu
Next by thread: Re: [UCLUG] LKM and chkrootkit
Index(es):
- Date
- Thread