possible LKM rootkit infection

technomage plug-discuss@lists.plug.phoenix.az.us
Wed, 19 Jun 2002 12:10:26 -0700


ok,
done all of this (even written them to a text file for later review). so far, 
I don't see anything unusual. I have a couple of non-standard (installed 
myself) servers running here (ircd and opennap) and I know which ports those 
are on. everything else appears to be as normal (including their port 
assignmanets).

I'vew also verified all packages on the "infected" machine and found no 
discrepencies that wouldn't be accounted for (some conf files were changed, 
but those I already know about as I was the one that modified them). 
everything else checks out.

as a safety measure when I first found an intruder on my system some weeks 
back, I changed all passwords, ran chattr +ui on some specified directories 
(/bin, /sbin, /usr/bin, /usr/bin/X11R6, /usr/sbin) to make sure the files 
couldn't be modified without my knowing about it (this at the suggestion of 
tom perry). I checked the package verification against a log of the last time 
I did so,. which was 4 weeks ago) and noted only minor changes (mostly in 
some logs and 1 or 2 conf files that I know about).

The kernel on this box does not have modules support (not needed as this is a 
gateway box for my lan and I only needed certain items (such as the devices 
on board and iptables) compiled in. this was specifically to prevent the 
introduction of "hijacked" modules.

as it is, I was thinking ahead security wise when I placed this unit online.

anything else I should be doing?

Technomage

On Wednesday 19 June 2002 07:59 am, you wrote:
> It's possible that the "lsof" command wasn't trojaned, since most root
> kits don't check for it.  Try "lsof -ni" and see if there's any difference
> between "netstat -lp".  If so, copy over a new "ps" and "ls" and "netstat"
> from another machine that you know hasn't been compromised (a fresh install
> is best, and make sure it's the same arch/distro).  If lsof shows an
> unusual port, check to see what program is running in the far left column.
> Locate that program and run "strings" on it to get more info.  This should
> get you started.  Keep us updated on what you find.
> Thanks,
> ~M
>
-- 
I will not be pushed, filed, stamped, indexed, briefed, debriefed, or 
numbered!
My life is my own - No. 6