On Fri, 07 Feb 2003, Rivanor P. Soares wrote: ; While running 'chkrootkit' at my box (RH 7.3) I saw the following: ; ; Checking `lkm'... You have 69 process hidden for ps command ; Warning: Possible LKM Trojan installed ; ; Could this be *true* ? How can I discover it?
First of all - disconnect from network. Second - copy your logs and all system files to another device (CD, or hard disk, whatever). Then - when you've made copy of whole system, try to verify packages: rpm -Va Look at /proc and compare existing processes to this, what shows you ps. Check if there are any backdoors in your system - new open ports, new suid files, modified daemons, libraries, files with chattr +i, or everything suspicious. And remember - write everything you're doing (see script(1))! -- ............. Robert Jaroszuk - zim<at>tx<dot>pl ............. GCS/IT/O d? s: a-- C++ ULB++++$ P+ L++++$ E--- W- N+ w-- O- M- V- PS+ PE Y(+) PGP-(+++) t-- 5? X- R* tv-- DI++ b++>+++ DI- D- ... The superior warrior wins without fighting -- Sun Tzu. ...
