possible LKM rootkit infection

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Logan Kennelly
Date:  
Subject: possible LKM rootkit infection
On Wednesday 19 June 2002 07:59 am, Matt Alexander wrote:
> It's possible that the "lsof" command wasn't trojaned, since most root
> kits don't check for it. Try "lsof -ni" and see if there's any
> difference between "netstat -lp". If so, copy over a new "ps" and "ls"
> and "netstat" from another machine that you know hasn't been compromised
> (a fresh install is best, and make sure it's the same arch/distro). If
> lsof shows an unusual port, check to see what program is running in the
> far left column. Locate that program and run "strings" on it to get more
> info. This should get you started. Keep us updated on what you find.


I see a lot of advice on modified programs, but it may be worse than that.
There was a presentation at DefCon last year where a kernel module was
introduced that hid connections, files, processes, itself, and whatever
else you chose. Of course you could replace any binaries with those you
wanted, but programs like Tripwire won't detect any change in files. Thus,
unless you logged on as a special user (which didn't exist, by the way),
then you could be clueless. Fortunately, if you install this kernel module
yourself, then it can defeat any of the other installations.

The name of this system was KIS: Kernel Intrusion System, but I can't seem
to find their homepage. Your best bet to see if this is the case would be
to portscan yourself and run netstat (probably a clean copy, but it doesn't
have to be). If there is a discrepency between the two reports, I would
consider it a very real possibility. The cure should be simple: replace
/sbin/init with a clean copy.

Good luck!

- -- 
                        Logan Kennelly
      ,,,
     (. .)
- --ooO-(_)-Ooo--