possible LKM rootkit infection

[Tom Emerson]

Tell more about your rootkit checker, sounds like a really handy tool!

The very few root'd *nix boxes we've handled, generally start with clean 
copies of binaries such as:  ps, lsof, netstat, lsattr (for linux ext2), 
...

If neccessary, mount a cd with the binaries you'll need, or NFS from a 
shared CD.  (favor CD so you're certain your binaries can't be overwritten 
by a clever rootkit).

Most that I recall have been linux boxen, between a clean netstat (netstat 
-pan) and sniffing around the filesystem with lsattr & ls finds most of 
the little nasties.  Start easy, copy a clean netstat over and have a 
look-see.  I have not yet seen a root-kit that really defends itself 
against the sysadmin copying over a clean binary and using it to look 
around.

If you suspect a stealth kernel, reboot from a cd, then hunt the 
filesystem.

'course my favorite is to just slick the machine, reinstall ... sometimes 
that is quicker.

Running nmap against the suspected target may show you hidden listeners.  
If you wish, post the IP & wether there is a firewall, I'm sure 
several on the list would be happy to sweep your box from outside your 
network.  (which is always a good thing to do!  see if your configuration 
is really doing what you think it is doing!!)

 - tom e.
------------------------------------------

On Wed, 19 Jun 2002, technomage wrote:

ok, my rootkit checker spit out a line that has me concerned.
it read back checking for LKM and found 4 processes that were invisible to 
both readdir and ps.

This has me a little nervous now. I need to know if I am actually infected 
and if so, how bad and what I can do about it.

I need assistance ASAP here.

I can be reached via telephone at (623)849-9515 or respond directly by e-mail.
if anyone has answers for me, I'd appreciate it.

thanks.