possible LKM rootkit infection

[technomage]

On Wednesday 19 June 2002 06:40 am, you wrote:
> What are the processes that are invisible?  Are any of them using a
> high/odd port number?  IE ssh on port 37337?  Any other info you can
> provide about this would also be helpful.  IE how is your system connected
> to the net?
ok, heres what I know:
ssh doesn't appear to be running any odd port numbers (just the standard 
issue low port), chkrootkit-.35 would not specifiy which processes were 
invisible (will have to contact the author on that). as for the system, it is 
connected to the cablemode and is running an iptables firewall script (a big 
one) with portsentry and prelude intrusion detection in place and operating. 
the box in question is my IPMASQ/NAT/FIREWALL/gateway for the rest of the 
lan. all other machines in the lan check out ok (no infection or intrusion).

I've tried manually running ps and readdir and both yielded no results I can 
use. also, on this mornings run of chkrootkit, those 4 invisible processsses 
are no longer there (inactive, deactivated, or what I don't know).

I have a copy of the log it made if you wish to paruse.

>
> Also, (curiosity on my part)what are using for a rootkit checker?
the one available at www.chkrootkit.org

>
> scott
>

Technomage

-- 
I will not be pushed, filed, stamped, indexed, briefed, debriefed, or 
numbered!
My life is my own - No. 6