On Sun, 2002-06-09 at 07:19, Terry Browning wrote: > Maybe it's my paranoia, but I've been adding a few tools to my system > recently, and I've had a small panic as a result. > > Using chkrootkit: > > Checking `lkm'... You have 1 process hidden for ps command > Warning: Possible LKM Trojan installed > > Should I panic and if so, how much?
Did you run chkrootkit more than once to see if it consistantly reported a hidden process? From the FAQ: # How accurate is chkproc? If you run chkproc on a server that runs lots of short time processes it could report some false positives. chkproc compares the ps output with the /proc contents. If processes are created/killed during this operation chkproc could point out these PIDs as suspicious. When I've suspected a rootkit in the past, I've copied over a static linked copy of busybox built on a trusted host to check the usual suspects manually (primarly the process list, and the commonly modified binaries in /bin and /usr/bin). Since the suspicion is an LKM rootkit, though, you can't be certain that the syscalls are returning valid information. However, you can check for this by comparing the syscalls on the system with the contents of System.map. There's some good information about LKM rootkits and a utility for checking for them at: http://la-samhna.de/library/lkm.html > Also, `nmap -sS -p 1-65535 127.0.0.1` says: > 8000/tcp open unknown > 8200/tcp open unknown > 10000/tcp open unknown > > and `nmap -sS -P0 -p 1-65535 <my ppp0 ipaddress>` says: > All 65535 scanned ports on (...) are: filtered > > Is that a good sign? Has nmap been fooled by an LKM? Have I wasted time > chasing my tail? Just because someone manages to get a rootkit installed doesn't mean that they successfully left a way into the box :) I've run into several cases where someone got remote access to a machine through a hole, installed all sorts of rootkits and what have you, but fubared their method for getting back into the box (in one case they copied a daemon linked against a newer version of glibc than was on the box, in another they added entries to inetd.conf when the machine was running xinetd, in another they put in a hacked sshd binary but failed to restart the service). You have to remember that a large number of hacks are done by script kiddies with little to no real understanding of what they're doing. :) Another possibility, if you've been doing security changes, is that a compromise happened before you started filtering ports; e.g. if you installed ipchains with a default deny policy on incoming connections the kit might still be listening on the port, but it doesn't matter. If you get a trusted copy of netstat at the box, you can check for programs listening on sockets with: netstat -lnp This will list all listeners with the PID that has said socket open. The same caveat about an LKM rootkit still applies though. > What is the best strategy for dealing with an LKM kit? Reinstall linux > from CD or try to remove it? If you do discover a rootkit, unless you have very very very good reasons for doing otherwise, reinstall. Just because you successfully discovered and removed one rootkit doesn't mean there aren't other potential security problems on the machine. In at least half the instances of rooted machines I've found multiple rootkits and other security compromises. The policy at my company and on my home network is to consider a machine untrusted if any strong indicator of a exploit is found. The machine is then rebuilt and not made network accessible until it has been reinstalled, all relevent security updates installed, and packet filtering set up. Anyways, hope this has been helpful. It being a few days later you may very well have handled this issue already. :) Matt
