possible LKM rootkit infection

[Logan Kennelly]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 19 June 2002 07:59 am, Matt Alexander wrote:
> It's possible that the "lsof" command wasn't trojaned, since most root
> kits don't check for it.  Try "lsof -ni" and see if there's any
> difference between "netstat -lp".  If so, copy over a new "ps" and "ls"
> and "netstat" from another machine that you know hasn't been compromised
> (a fresh install is best, and make sure it's the same arch/distro).  If
> lsof shows an unusual port, check to see what program is running in the
> far left column. Locate that program and run "strings" on it to get more
> info.  This should get you started.  Keep us updated on what you find.

I see a lot of advice on modified programs, but it may be worse than that.  
There was a presentation at DefCon last year where a kernel module was 
introduced that hid connections, files, processes, itself, and whatever 
else you chose.  Of course you could replace any binaries with those you 
wanted, but programs like Tripwire won't detect any change in files.  Thus, 
unless you logged on as a special user (which didn't exist, by the way), 
then you could be clueless.  Fortunately, if you install this kernel module 
yourself, then it can defeat any of the other installations.

The name of this system was KIS: Kernel Intrusion System, but I can't seem 
to find their homepage.  Your best bet to see if this is the case would be 
to portscan yourself and run netstat (probably a clean copy, but it doesn't 
have to be).  If there is a discrepency between the two reports, I would 
consider it a very real possibility.  The cure should be simple: replace 
/sbin/init with a clean copy.

Good luck!

- -- 
						Logan Kennelly
      ,,,
     (. .)
- --ooO-(_)-Ooo--
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9ELaPpNoctRtUIRQRAmocAJ4rNa4j6jOJvI4c9ojtNmx5p9Th6ACfbE3+
Yo45pLHsIUZKXEy8czpdUYs=
=+nPQ
-----END PGP SIGNATURE-----