Re: Trojan installed?
On Fri, Apr 07, 2006 at 05:20:24PM +0200, Brent Clark wrote:
> Csanyi Pal wrote:
> >
> >Tiger automatic auditor at debian-csp citation:
> >--------------->
> ># Running chkrootkit (/usr/sbin/chkrootkit) to perform further
> >checks...
> >NEW: --WARN-- [rootkit004w] Chkrootkit has detected a possible rootkit
> >+installation
> >NEW: Warning: Possible LKM Trojan installed
> >---------------<
> >
> >What can I do now to check is it installed truly the LKM Trojan?
>
> Is this a webserver, if so, look in the /var/tmp and tmp look for binarys /
> tar.gz files etc (anything that looks out the ordinary).
> Generally the user and group of the file will be of the webserver.
On this machine I installed apache 1.3.33 .
I looked in the /var/tmp and tmp and look for the binaries that looks
out the ordinary but nothing finded.
> And if this machine is 24/7 on the net.
No, it isn't 24/7 on the net.
> May I suggest whatever plans you had for the weekend, cancel them and take
> that machine off the net.
>
> Better start tightening your services up etc.
>
> For apache (dont forget to tighten the conf) use nikto to help to scan test
> vulnerabilities.
I have now installed nikto.
I run nikto and get some messages but nothing serious.
> For ssh, maybe add a line in the conf file like Allowusers for a start.
>
> Oh and check you logs.
Nothing serious find.
> Other than that best of luck.
Thanks!
> HTH
>
> Kind Regards
> Brent Clark
>
> P.s. It may help to mention what services you are running or what this
> machine is used for.
I use on this machine the Window Maker Desktop environment.
--
Regards, Csányi Paul
http://www.ektf.hu/~Csanyi.Pal (Up to now, it is in Hungarian only.)
http://csanyipal.info/moodle <<<--- Moodle - Course Management System
http://csanyipal.info:81 <<<--- sTeam - Cooperative Learning
Reply to: