possible LKM rootkit infection

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Matt Alexander
Date:  
Subject: possible LKM rootkit infection
You said you found an intruder on your box a few weeks back. Do you know
how they got in?


On Wed, 19 Jun 2002, technomage wrote:

> ok,
> done all of this (even written them to a text file for later review). so far,
> I don't see anything unusual. I have a couple of non-standard (installed
> myself) servers running here (ircd and opennap) and I know which ports those
> are on. everything else appears to be as normal (including their port
> assignmanets).
>
> I'vew also verified all packages on the "infected" machine and found no
> discrepencies that wouldn't be accounted for (some conf files were changed,
> but those I already know about as I was the one that modified them).
> everything else checks out.
>
> as a safety measure when I first found an intruder on my system some weeks
> back, I changed all passwords, ran chattr +ui on some specified directories
> (/bin, /sbin, /usr/bin, /usr/bin/X11R6, /usr/sbin) to make sure the files
> couldn't be modified without my knowing about it (this at the suggestion of
> tom perry). I checked the package verification against a log of the last time
> I did so,. which was 4 weeks ago) and noted only minor changes (mostly in
> some logs and 1 or 2 conf files that I know about).
>
> The kernel on this box does not have modules support (not needed as this is a
> gateway box for my lan and I only needed certain items (such as the devices
> on board and iptables) compiled in. this was specifically to prevent the
> introduction of "hijacked" modules.
>
> as it is, I was thinking ahead security wise when I placed this unit online.
>
> anything else I should be doing?
>
> Technomage
>
> On Wednesday 19 June 2002 07:59 am, you wrote:
> > It's possible that the "lsof" command wasn't trojaned, since most root
> > kits don't check for it. Try "lsof -ni" and see if there's any difference
> > between "netstat -lp". If so, copy over a new "ps" and "ls" and "netstat"
> > from another machine that you know hasn't been compromised (a fresh install
> > is best, and make sure it's the same arch/distro). If lsof shows an
> > unusual port, check to see what program is running in the far left column.
> > Locate that program and run "strings" on it to get more info. This should
> > get you started. Keep us updated on what you find.
> > Thanks,
> > ~M
> >
> --
> I will not be pushed, filed, stamped, indexed, briefed, debriefed, or
> numbered!
> My life is my own - No. 6
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list -
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>