possible LKM rootkit infection
technomage
plug-discuss@lists.plug.phoenix.az.us
Wed, 19 Jun 2002 12:10:26 -0700
ok,
done all of this (even written them to a text file for later review). so far,
I don't see anything unusual. I have a couple of non-standard (installed
myself) servers running here (ircd and opennap) and I know which ports those
are on. everything else appears to be as normal (including their port
assignmanets).
I'vew also verified all packages on the "infected" machine and found no
discrepencies that wouldn't be accounted for (some conf files were changed,
but those I already know about as I was the one that modified them).
everything else checks out.
as a safety measure when I first found an intruder on my system some weeks
back, I changed all passwords, ran chattr +ui on some specified directories
(/bin, /sbin, /usr/bin, /usr/bin/X11R6, /usr/sbin) to make sure the files
couldn't be modified without my knowing about it (this at the suggestion of
tom perry). I checked the package verification against a log of the last time
I did so,. which was 4 weeks ago) and noted only minor changes (mostly in
some logs and 1 or 2 conf files that I know about).
The kernel on this box does not have modules support (not needed as this is a
gateway box for my lan and I only needed certain items (such as the devices
on board and iptables) compiled in. this was specifically to prevent the
introduction of "hijacked" modules.
as it is, I was thinking ahead security wise when I placed this unit online.
anything else I should be doing?
Technomage
On Wednesday 19 June 2002 07:59 am, you wrote:
> It's possible that the "lsof" command wasn't trojaned, since most root
> kits don't check for it. Try "lsof -ni" and see if there's any difference
> between "netstat -lp". If so, copy over a new "ps" and "ls" and "netstat"
> from another machine that you know hasn't been compromised (a fresh install
> is best, and make sure it's the same arch/distro). If lsof shows an
> unusual port, check to see what program is running in the far left column.
> Locate that program and run "strings" on it to get more info. This should
> get you started. Keep us updated on what you find.
> Thanks,
> ~M
>
--
I will not be pushed, filed, stamped, indexed, briefed, debriefed, or
numbered!
My life is my own - No. 6