> On February 7, 2003 07:41 am, Rivanor P. Soares wrote:
> > Checking `lkm'... You have 69 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> >
> > Could this be *true* ? How can I discover it?
> If this is true, then your 'ps' binary has been replaced with one that
filters
> certain processes from your viewing.
> The best, easiest method to determine if this is true, is to change
> directories to your /proc filesystem, and manually compare the PID
> corresponding directories to the PIDs you see in your ps output. If you
If it's an LKM trojan, they wouldn't show up in /proc, would they?
> notice extra PIDs (which you will quickly notice if you infact have 69
hidden
> processes), then you should enter their corresponding directories and
analize
> the information within, to see if the process is malicous.
> If manually comparing your proc filesystem to your ps output seems like a
> duanting task, you could try downloading a fresh ps binary to your box,
one
> which isnt backdoored. Only problem with this is, once it is on your
> potentially infected box, its output can no longer be trusted, as one of
> those 69 processes could maim the output of your new ps, not to mention
how
> easily a kernel backdoor [LKM, kernel patch (hard or /dev/kmem)]could to
do.
The theory on this is that you need to boot off a clean filesystem (cf.
Knoppix), and then use the clean boot to analyse the filesystems on the
compromised box. I don't know enough to help you with analysis, though.
Thanks,
Tim Nelson
Systems Administrator
Sunet Internet
Tel: +61 3 5241 1155
Fax: +61 3 5241 6187
Web: http://www.sunet.com.au/
Email: [EMAIL PROTECTED]
