[EMAIL PROTECTED] wrote:
On Thu, 24 Feb 2005 19:22:22 +1100, O Plameras
<[EMAIL PROTECTED]> wrote:
Ff. is a sample of positvie result showing possible Loadable Kernel Module (LKM) Trojan:
[EMAIL PROTECTED] chkrootkit-0.45]# ./chkrootkit
.........snipped.................
Searching for ESRK rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have 3 process hidden for readdir command
You have 3 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... br0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
.........snipped..................
Is this a recent version? chkrootkit used not to handle 2.6's new way of
"hiding" theads and reportted them as hidden process just like above.
Apparently recent versions know how to handle this.
My Linux = 2.6.9-rc3-bk1. As a matter of fact I have all sorts of Linux versions
that I run chkrootkit with no problems.
My chkrootkit = 0.45
My ToolBoxes are in CDs in a variety of VERSIONS including 'chkrootkit'
and are offlined when not used. I also maintained copies in CDs of my production
OS with cryptographic checksums which is taken just before it is put online.
With my firewalls and other security critical servers, I require recompiling kernels by
removing all UNUSED and REDUNDANT modules as part of the audit process so,
when I got a problem such as the one illustrated above, I ONLY need to examine a few
modules instead of TONS of them. As well I only need to generate fewer cryptographic
checksums albeit faster because I am dealing with a lot fewer files as my security benchmarks than when I have the stock kernels. In my view, 'chkrootkit' is mainly useful when you
have checksumed a 'virgin' production OS.
I do not leave any crowbar lying around when I park my car, so it was said.
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
