> On February 7, 2003 07:41 am, Rivanor P. Soares wrote: > > Checking `lkm'... You have 69 process hidden for ps command > > Warning: Possible LKM Trojan installed > > > > Could this be *true* ? How can I discover it? > If this is true, then your 'ps' binary has been replaced with one that filters > certain processes from your viewing. > The best, easiest method to determine if this is true, is to change > directories to your /proc filesystem, and manually compare the PID > corresponding directories to the PIDs you see in your ps output. If you
If it's an LKM trojan, they wouldn't show up in /proc, would they? > notice extra PIDs (which you will quickly notice if you infact have 69 hidden > processes), then you should enter their corresponding directories and analize > the information within, to see if the process is malicous. > If manually comparing your proc filesystem to your ps output seems like a > duanting task, you could try downloading a fresh ps binary to your box, one > which isnt backdoored. Only problem with this is, once it is on your > potentially infected box, its output can no longer be trusted, as one of > those 69 processes could maim the output of your new ps, not to mention how > easily a kernel backdoor [LKM, kernel patch (hard or /dev/kmem)]could to do. The theory on this is that you need to boot off a clean filesystem (cf. Knoppix), and then use the clean boot to analyse the filesystems on the compromised box. I don't know enough to help you with analysis, though. Thanks, Tim Nelson Systems Administrator Sunet Internet Tel: +61 3 5241 1155 Fax: +61 3 5241 6187 Web: http://www.sunet.com.au/ Email: [EMAIL PROTECTED]