possible LKM rootkit infection
Matt Alexander
plug-discuss@lists.plug.phoenix.az.us
Wed, 19 Jun 2002 07:59:56 -0700 (PDT)
It's possible that the "lsof" command wasn't trojaned, since most root
kits don't check for it. Try "lsof -ni" and see if there's any difference
between "netstat -lp". If so, copy over a new "ps" and "ls" and "netstat"
from another machine that you know hasn't been compromised (a fresh install
is best, and make sure it's the same arch/distro). If lsof shows an
unusual port, check to see what program is running in the far left column.
Locate that program and run "strings" on it to get more info. This should
get you started. Keep us updated on what you find.
Thanks,
~M
On Wed, 19 Jun 2002, technomage wrote:
> ok, my rootkit checker spit out a line that has me concerned.
> it read back checking for LKM and found 4 processes that were invisible to
> both readdir and ps.
>
> This has me a little nervous now. I need to know if I am actually infected
> and if so, how bad and what I can do about it.
>
> I need assistance ASAP here.
>
> I can be reached via telephone at (623)849-9515 or respond directly by e-mail.
> if anyone has answers for me, I'd appreciate it.
>
> thanks.
>
> --
> I will not be pushed, filed, stamped, indexed, briefed, debriefed, or
> numbered!
> My life is my own - No. 6
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>