lkm trojan
Hi,
further to my 4 hidden processes, "ps" finds exactly 4 processes with
PID # 0!
See the scriptfile below.
I later found out that "top" numbers these processes as 3,4,5 & 6, same
sequence.
The names of the processes
I find this hard to understand:
Does LKM trojan and the 0's mean that these 4 are sabotaged Loadable
Kernel Modules?
Can I just compare/recopy these?
I do have another healthy Sarge system, both with kernel 2.4.22.
Or will the (LKM)trojan then recopy it's own version later?
Or/and does hidden from ps mean, that /usr/bin/ps has been doctored?
And should I compare/recopy this one?
The last process nevertheless claims to be my ps aux command itself.
All Kretenzers lie, said the Kretenzer ;-).
Or perhaps this is all a rather innocent bug in "ps".
Could the intrusion be that XMMS launched a naughty .mp3? That I
downloaded myself.
Even though XMMS does not run as root?
In the meantime I reinstalled one compromised PC, but kept this one for
learning,
ran bastille, improved my password habits, turned off WAN ping replies
from my router,
am turning off this hardware router when not using internet (24/7 on
before),
installed sxid, temporarily tried out some other anti intrusion packages
you-all
recommended (thanks) and deinstalled anything "server" that I can do
without.
Anyway, since Feb 1 no new (log?)deletion(s). Of which there were
several before.
If I need to reinstall I might try out kernel 2.6 first.
That even may shake out malignant modules. Two birds with one stone ;-).
Any more advice or comment?
mvg Boudewijn
Script started on za 07 feb 2004 08:08:07 CET
ijbd@fuji:~$ su
Password:
root@fuji:/home/ijbd# chkrootkit -q
/usr/lib/nessus/plugins/.desc
/usr/lib/nessus/plugins/.desc
You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
1 deletion(s) between Sun Feb 1 19:22:59 2004 and Sun Feb 1 20:21:54 2004
root@fuji:/home/ijbd# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.1 0.0 76 76 ? S 06:47 0:08 init [5]
root 2 0.0 0.0 0 0 ? SW 06:47 0:00 [keventd]
root 0 0.0 0.0 0 0 ? SWN 06:47 0:00
[ksoftirqd_CPU0]
root 0 0.0 0.0 0 0 ? SW 06:47 0:00 [kswapd]
root 0 0.0 0.0 0 0 ? SW 06:47 0:00 [bdflush]
root 0 0.0 0.0 0 0 ? SW 06:47 0:00 [kupdated]
root 8 0.0 0.0 0 0 ? SW 06:47 0:00 [kreiserfsd]
root 71 0.0 0.0 0 0 ? SW 06:48 0:00 [kapmd]
root 75 0.0 0.0 0 0 ? SW 06:48 0:00 [khubd]
root 263 0.0 0.1 1728 752 ? S 06:48 0:00 pump -i eth0
root 265 0.0 0.0 0 0 ? SW 06:48 0:00 [eth0]
daemon 269 0.0 0.1 1708 604 ? S 06:48 0:00 /sbin/portmap
etc, etc,,,,,,,,,,
root 7286 0.0 0.1 2472 820 pts/1 R 08:09 0:00 ps aux
root@fuji:/home/ijbd# exit
ijbd@fuji:~$
Script done on za 07 feb 2004 08:09:12 CET
Reply to: