Csanyi Pal wrote:
Hello! My system is Debian GNU/Linux Sarge, with kernel 2.6.8. I get the e-mail from tiger. Tiger automatic auditor at debian-csp citation: ---------------># Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks...NEW: --WARN-- [rootkit004w] Chkrootkit has detected a possible rootkit +installation NEW: Warning: Possible LKM Trojan installed ---------------< What can I do now to check is it installed truly the LKM Trojan? I appreciate any advices!
Hi First off google for about it. Is this a webserver, if so, look in the /var/tmp and tmp look for binarys / tar.gz files etc (anything that looks out the ordinary). Generally the user and group of the file will be of the webserver. And if this machine is 24/7 on the net. May I suggest whatever plans you had for the weekend, cancel them and take that machine off the net. Better start tightening your services up etc. For apache (dont forget to tighten the conf) use nikto to help to scan test vulnerabilities. For ssh, maybe add a line in the conf file like Allowusers for a start. Oh and check you logs. Other than that best of luck. HTH Kind Regards Brent Clark P.s. It may help to mention what services you are running or what this machine is used for.