Author: Tom Emerson Date: Subject: possible LKM rootkit infection
Tell more about your rootkit checker, sounds like a really handy tool!
The very few root'd *nix boxes we've handled, generally start with clean
copies of binaries such as: ps, lsof, netstat, lsattr (for linux ext2),
...
If neccessary, mount a cd with the binaries you'll need, or NFS from a
shared CD. (favor CD so you're certain your binaries can't be overwritten
by a clever rootkit).
Most that I recall have been linux boxen, between a clean netstat (netstat
-pan) and sniffing around the filesystem with lsattr & ls finds most of
the little nasties. Start easy, copy a clean netstat over and have a
look-see. I have not yet seen a root-kit that really defends itself
against the sysadmin copying over a clean binary and using it to look
around.
If you suspect a stealth kernel, reboot from a cd, then hunt the
filesystem.
'course my favorite is to just slick the machine, reinstall ... sometimes
that is quicker.
Running nmap against the suspected target may show you hidden listeners.
If you wish, post the IP & wether there is a firewall, I'm sure
several on the list would be happy to sweep your box from outside your
network. (which is always a good thing to do! see if your configuration
is really doing what you think it is doing!!)
- tom e.
------------------------------------------
On Wed, 19 Jun 2002, technomage wrote:
ok, my rootkit checker spit out a line that has me concerned.
it read back checking for LKM and found 4 processes that were invisible to
both readdir and ps.
This has me a little nervous now. I need to know if I am actually infected
and if so, how bad and what I can do about it.
I need assistance ASAP here.
I can be reached via telephone at (623)849-9515 or respond directly by e-mail.
if anyone has answers for me, I'd appreciate it.