On 9 Jun 2002, Terry Browning wrote:
> Should I panic and if so, how much?
This really depends on how valuable your system is. It's possible you've
been hacked and someone maintains access to your machine other than those
you know about.
> Also, `nmap -sS -p 1-65535 127.0.0.1` says:
> 8000/tcp open unknown
> 8200/tcp open unknown
> 10000/tcp open unknown
>
> and `nmap -sS -P0 -p 1-65535 <my ppp0 ipaddress>` says:
> All 65535 scanned ports on (...) are: filtered
I'm not understanding why you're using a stealth scan against your own
box. You know its you, why stealth? That aside, if a hacker has a
rootkit installed, they don't need any special port open. They can access
your system like a regular user. I assume you have remote access to this
box somehow, and if that's the case, so do they most likely. Aside from
that, the LKM is a loadable kernel module rootkit. At the kernel level,
depending on how good the hacker was, he or she could do quite a bit.
Here's a description of someone's LKM:
http://it.rising.com.cn/safety/safetyschool/ywyb/020129lkm.htm
> What is the best strategy for dealing with an LKM kit? Reinstall linux
> from CD or try to remove it?
Rebuild from CD if you're not sure. If you don't, anything that happens
will always come back to "hmm... was I hacked back then?".
Ben
--
A tiger never returns to his prey he did not finish off.
