possible LKM rootkit infection

technomage plug-discuss@lists.plug.phoenix.az.us
Sat, 22 Jun 2002 13:21:29 -0700 

did that. the processes did disappear.
since that point, I have been clean (so to speak).
still, I think its time that I simply installed a newer version of the OS.

Technomage

On Friday 21 June 2002 11:10 pm, you wrote:
> If chkrootkit says there are process's running that ps isn't showing -
> it's probably right.  Stop all services that have the posibility of
> spawning child procces's quickly (apache etc) and run again.  If it
> still shows up, most likely someone has you.  The new rootkits are
> getting pretty complex in how they work, and with a trojan kernel module
> nearly anything is possible.
>
> I'd attach a sniffer to log _all_ traffic, possibly using snort to get a
> handle on it if it's a lot.
>
> I worked on a box that was hacked with suckit, one of the better LKM
> trojans.  Only real way to fix it was to format/reinstall.  RPM wasn't
> showing any problems with the procps (ps, ls etc.) rpm because the LKM
> was intercepting those calls at the kernel level.  Took a sniffer and
> several days to figure out it was owned, as the box behaved normally.
> Seems the person was using it as a jumping point, running a scan of
> random netblocks.
>
> You might have some success booting with a rescue dist (tomsbrt works
> good), and looking for some directories that shouldn't be there.  suckit
> defaults to something in /dev/(can't remember where - check phrack..48?)
>
> -dallas
>
> On Wed, 2002-06-19 at 16:15, Matt Alexander wrote:
> > It's possible that those mystery processes only ran one time and covered
> > up their activity afterwards, or maybe they run at some regular interval,
> > who knows.  Personally, I would sleep better at night after rebuilding
> > the box.  Also, I would recommend that you have different passwords for
> > different sites.  You don't want a security hole at one site completely
> > opening your boxes at another site (as was the case with you).  It's even
> > better if each box has a different password from all the others. ~M
> >
> > On Wed, 19 Jun 2002, technomage wrote:
> > > according to the "last" command, he logged in as a user on one of my
> > > accounts and was on for 6 minutes.
> > >
> > > I checked elsewhere and found that there had been no other activity
> > > (even to checking the backups of some of the history files that are
> > > made each hour).
> > >
> > > after than, I checked to make sure there weren't any outbound
> > > connections to his IP range (there weren't). I used a clean box as a
> > > sniffer for this. I then proceeded to change all system passwords and
> > > user account passowrds. Then, I loaded clean versions of rpm, etc and
> > > proceeded to do a package verification. I even did md5 checksum
> > > comparisons and sig checking.
> > >
> > > I checked with a couple of folks I know in the computer security field
> > > (one of whom is currently serving duty with the US navy at their
> > > fascility in southern california (the USN Naval Post Graduate School).
> > > Given information from him (and others), I made an assumption that the
> > > intruder hadn't gotten very far into my system, and that since all
> > > passwords were changed immediately following the incident AND that the
> > > offending ip range (ns.rotind.ro) was placed in iptables as immediate
> > > drop, I saw no other incursions until yesterday evening.
> > >
> > > what I find odd is that the incursion didn't stick. said "invisible
> > > processes" that wer recorded before aren't there now.
> > >
> > > just as a measure, I also made sure that my system has current patches
> > > for apache (which I do run a webserver here on port 8000) and I've
> > > tested any cgi scripts and other things using a tool called nessus.
> > >
> > > so far, after the last 12 hours, I can't seem to find any evidence that
> > > an incursion (intrusion) has taken place other than that 1 log entry
> > > written by chkrootkit that one time.
> > >
> > > so, I'm at a loss. am I trojaned or not?
> > >
> > > Technomage
> > >
> > > On Wednesday 19 June 2002 12:55 pm, you wrote:
> > > > --- technomage <technomage-hawke@cox.net> wrote:
> > > > > ok,
> > > >
> > > > <snip>
> > > >
> > > > > as a safety measure when I first found an intruder on my system
> > > > > some weeks back, I changed all passwords, ran chattr +ui on some
> > > > > specified directories
> > > >
> > > > <snip>
> > > >
> > > > Hmm.... the fact that you had an intruder is not a good sign.  Even
> > > > though you changed the passwords, etc, there may have already been
> > > > someting in place that passed that info back to the intruder.  Any
> > > > idea on how long the intruder had access to your system?
> > > >
> > > > Personally, I would cut my loses - print (yes print) any config files
> > > > that you want to re-implement, wipe the box and re-install from
> > > > scratch.
> > > >
> > > > Or
> > > >
> > > > if you have the disk to spare, rebuild the system on a new disk. 
> > > > Once done, mount up the old disk - dont run anything from it - and
> > > > give it a thorough going over - see if you can figure out what was
> > > > done to compromise the system.
> > > >
> > > > __________________________________________________
> > > > Do You Yahoo!?
> > > > Yahoo! - Official partner of 2002 FIFA World Cup
> > > > http://fifaworldcup.yahoo.com
> > > > ________________________________________________
> > > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail
> > > > doesn't post to the list quickly and you use Netscape to write mail.
> > > >
> > > > PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > >
> > > --
> > > I will not be pushed, filed, stamped, indexed, briefed, debriefed, or
> > > numbered!
> > > My life is my own - No. 6
> > > ________________________________________________
> > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> > > post to the list quickly and you use Netscape to write mail.
> > >
> > > PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> > post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

-- 
I will not be pushed, filed, stamped, indexed, briefed, debriefed, or 
numbered!
My life is my own - No. 6