[plug] New Rootkit?

Optimus Thu, 11 Sep 2003 13:39:55 -0700

Hello gurus!


I think my Linux Mandrake 9.0 is infected with a new rootkit.

I currently use chkrootkit version 0.41-1mdk. A scan turns up negative, but I
find interesting dates and entries in my /dev directory

total 0
drwxr-xr-x    1 root     root            0 Jan  1  1970 cdroms/
drwxr-xr-x    1 root     root            0 Jan  1  1970 cpu/
drwxr-xr-x    1 root     root            0 Jan  1  1970 cua/
crw-------    1 root     root     241,  64 Jan  1  1970 cuaHSF0
drwxr-xr-x    1 root     root            0 Jan  1  1970 discs/
drwxr-xr-x    1 root     root            0 Jan  1  1970 fb/
drwxr-xr-x    1 root     root            0 Jan  1  1970 floppy/
crw-rw-rw-    1 root     root       1,   7 Jan  1  1970 full
drwxr-xr-x    1 root     root            0 Jan  1  1970 ide/
crw-r-----    1 root     root       1,   2 Jan  1  1970 kmem
drwxr-xr-x    1 root     root            0 Jan  1  1970 md/
crw-r-----    1 root     root       1,   1 Jan  1  1970 mem
drwxr-xr-x    1 root     root            0 Jan  1  1970 misc/
crw-rw-rw-    1 root     root       1,   3 Jan  1  1970 null
crw-rw-rw-    1 root     root     195,   0 Jan  1  1970 nvidia0
crw-rw-rw-    1 root     root     195, 255 Jan  1  1970 nvidiactl
crw-r-----    1 root     root       1,   4 Jan  1  1970 port
crw-------    1 root     root     108,   0 Jan  1  1970 ppp
drwxr-xr-x    1 root     root            0 Jan  1  1970 printers/
drwxr-xr-x    1 root     root            0 Jan  1  1970 pty/
crw-r--r--    1 root     root       1,   8 Jan  1  1970 random
drwxr-xr-x    1 root     root            0 Jan  1  1970 raw/
drwxr-xr-x    1 root     root            0 Jan  1  1970 rd/
drwxr-xr-x    1 root     root            0 Jan  1  1970 scsi/
drwxr-xr-x    1 root     root            0 Jan  1  1970 shm/
drwxr-xr-x    1 root     root            0 Jan  1  1970 snd/
drwxr-xr-x    1 root     root            0 Jan  1  1970 sound/
drwxr-xr-x    1 root     root            0 Jan  1  1970 tts/
crw-rw-rw-    1 root     root       5,   0 Jan  1  1970 tty
crw-r--r--    1 root     root       1,   9 Jan  1  1970 urandom
drwxr-xr-x    1 root     root            0 Jan  1  1970 usb/
drwxr-xr-x    1 root     root            0 Jan  1  1970 vc/
drwxr-xr-x    1 root     root            0 Jan  1  1970 vcc/
crw-rw-rw-    1 root     root       1,   5 Jan  1  1970 zero

The full listing of /dev directory is in the attachment check.txt.

Here are other errors that I've encountered with msec:
Sep  9 23:01:02 desktop msec: set variable CHKROOTKIT_CHECK to no in
/var/lib/msec/security.conf

Here are others:
Sep 11 11:39:30 desktop depmod: *** Unresolved symbols in
/lib/modules/2.4.19-16mdk/kernel/arch/i386/mki-adapter/mki-adapter.o

How do I remove this rootkit?

I've been hit by this rootkit before, and no matter how many times I
repartition and reinstall the OS, the rootkit still appears. I have a hunch
that is in a certain rpm, but what rpm?

I hope you can help me on this. This rootkit runs until such time it decides
to write random garbage to my data and takes down the hard drive with a
"missing operating system" message at bootup.



Thanks in advance,

optimus
--
Philippine Linux Users' Group (PLUG) Mailing List
[EMAIL PROTECTED] (#PLUG @ irc.free.net.ph)
Official Website: http://plug.linux.org.ph
Searchable Archives: http://marc.free.net.ph
.
To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
.
Are you a Linux newbie? To join the newbie list, go to
http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie

[plug] New Rootkit?

Reply via email to