On Sun, Jun 09, 2002 at 12:19:57PM +0100, Terry Browning did this all over the keyboard: > Maybe it's my paranoia, but I've been adding a few tools to my system > recently, and I've had a small panic as a result. > > Using chkrootkit: > > Checking `lkm'... You have 1 process hidden for ps command > Warning: Possible LKM Trojan installed > > Should I panic and if so, how much?
It depends. Does chkrootkit complain about this everytime you run it? If
so, I'd panic. I had the same output some weeks ago, and it turned out,
that it must have been some ordinary process running between the two
checks that are performed by chkproc. It compares the output of 'ps'
against /proc/$PID where $PID is the PID of every process currently
runnig. So if it happens that some ordinary process gets started between
those two checks, chkrootkit will complain about it.
As I run chkrootkit after it manually, this complain disappeard.
Check your IDS. Check against your backups. Put some tools like ps,
ifconfig, netstat, lsof, ls, find etc from a secure source on a floppy
and run them.
If you can't be 100% sure your box is clean, reinstall!
> Also, `nmap -sS -p 1-65535 127.0.0.1` says:
> 8000/tcp open unknown
> 8200/tcp open unknown
> 10000/tcp open unknown
>
> and `nmap -sS -P0 -p 1-65535 <my ppp0 ipaddress>` says:
> All 65535 scanned ports on (...) are: filtered
>
> Is that a good sign? Has nmap been fooled by an LKM? Have I wasted time
> chasing my tail?
No idea on this, sorry.
> What is the best strategy for dealing with an LKM kit? Reinstall linux
> from CD or try to remove it?
Well, how critical is this machine? Just a home machine, I'd try to
remove it just for fun. If not, reinstall.
HTH, regards
Willi
--
never offend people with style when you can
offend them with substance.
--Sam Brown
msg00355/pgp00000.pgp
Description: PGP signature
