LKM and chkrootkit
I got a warning from my daily run of chkrootkit
yesterday
Checking `lkm'... You have 4 process hidden for \
readdir command
You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
I haven't taken down the box yet, because I was
investigating and there's no real sensitive data on
there. Has anyone seen this before? Today's output of
chkrootkit did not give the same warning. I don't see
any other signs of tampering, except that I probably
got DOS'ed, or at least apache went down in the wee
hours this morning and I didn't notice until I got to
work, and had to start it when I came home for lunch.
The log files aren't missing, but I don't yet know if
they have been altered. Suggestions for forensics
anyone? After Tai Chi class, I think I'll check into
the coroner's toolkit.
http://www.porcupine.org/forensics/tct.html
http://www.chkrootkit.org/
=====
rascharles@yahoo.com
http://www.charleshbaker.com/~chb/
Hacking is a "Good Thing!"
See http://www.tuxedo.org/~esr/faqs/hacker-howto.html
__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
Reply to: