possible LKM rootkit infection

Dallas Helquist plug-discuss@lists.plug.phoenix.az.us
22 Jun 2002 00:10:29 -0600


If chkrootkit says there are process's running that ps isn't showing -
it's probably right.  Stop all services that have the posibility of
spawning child procces's quickly (apache etc) and run again.  If it
still shows up, most likely someone has you.  The new rootkits are
getting pretty complex in how they work, and with a trojan kernel module
nearly anything is possible. 

I'd attach a sniffer to log _all_ traffic, possibly using snort to get a
handle on it if it's a lot.  

I worked on a box that was hacked with suckit, one of the better LKM
trojans.  Only real way to fix it was to format/reinstall.  RPM wasn't
showing any problems with the procps (ps, ls etc.) rpm because the LKM
was intercepting those calls at the kernel level.  Took a sniffer and
several days to figure out it was owned, as the box behaved normally. 
Seems the person was using it as a jumping point, running a scan of
random netblocks.

You might have some success booting with a rescue dist (tomsbrt works
good), and looking for some directories that shouldn't be there.  suckit
defaults to something in /dev/(can't remember where - check phrack..48?)

-dallas



On Wed, 2002-06-19 at 16:15, Matt Alexander wrote:
> It's possible that those mystery processes only ran one time and covered
> up their activity afterwards, or maybe they run at some regular interval,
> who knows.  Personally, I would sleep better at night after rebuilding the
> box.  Also, I would recommend that you have different passwords for
> different sites.  You don't want a security hole at one site completely
> opening your boxes at another site (as was the case with you).  It's even
> better if each box has a different password from all the others.
> ~M
> 
> 
> On Wed, 19 Jun 2002, technomage wrote:
> 
> > according to the "last" command, he logged in as a user on one of my accounts
> > and was on for 6 minutes.
> >
> > I checked elsewhere and found that there had been no other activity (even to
> > checking the backups of some of the history files that are made each hour).
> >
> > after than, I checked to make sure there weren't any outbound connections to
> > his IP range (there weren't). I used a clean box as a sniffer for this. I
> > then proceeded to change all system passwords and user account passowrds.
> > Then, I loaded clean versions of rpm, etc and proceeded to do a package
> > verification. I even did md5 checksum comparisons and sig checking.
> >
> > I checked with a couple of folks I know in the computer security field (one
> > of whom is currently serving duty with the US navy at their fascility in
> > southern california (the USN Naval Post Graduate School). Given information
> > from him (and others), I made an assumption that the intruder hadn't gotten
> > very far into my system, and that since all passwords were changed
> > immediately following the incident AND that the offending ip range
> > (ns.rotind.ro) was placed in iptables as immediate drop, I saw no other
> > incursions until yesterday evening.
> >
> > what I find odd is that the incursion didn't stick. said "invisible
> > processes" that wer recorded before aren't there now.
> >
> > just as a measure, I also made sure that my system has current patches for
> > apache (which I do run a webserver here on port 8000) and I've tested any cgi
> > scripts and other things using a tool called nessus.
> >
> > so far, after the last 12 hours, I can't seem to find any evidence that an
> > incursion (intrusion) has taken place other than that 1 log entry written by
> > chkrootkit that one time.
> >
> > so, I'm at a loss. am I trojaned or not?
> >
> > Technomage
> >
> > On Wednesday 19 June 2002 12:55 pm, you wrote:
> > > --- technomage <technomage-hawke@cox.net> wrote:
> > > > ok,
> > >
> > > <snip>
> > >
> > > > as a safety measure when I first found an intruder on my system some
> > > > weeks back, I changed all passwords, ran chattr +ui on some specified
> > > > directories
> > >
> > > <snip>
> > >
> > > Hmm.... the fact that you had an intruder is not a good sign.  Even though
> > > you changed the passwords, etc, there may have already been someting in
> > > place that passed that info back to the intruder.  Any idea on how long the
> > > intruder had access to your system?
> > >
> > > Personally, I would cut my loses - print (yes print) any config files that
> > > you want to re-implement, wipe the box and re-install from scratch.
> > >
> > > Or
> > >
> > > if you have the disk to spare, rebuild the system on a new disk.  Once
> > > done, mount up the old disk - dont run anything from it - and give it a
> > > thorough going over - see if you can figure out what was done to compromise
> > > the system.
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Yahoo! - Official partner of 2002 FIFA World Cup
> > > http://fifaworldcup.yahoo.com
> > > ________________________________________________
> > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> > > post to the list quickly and you use Netscape to write mail.
> > >
> > > PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> > --
> > I will not be pushed, filed, stamped, indexed, briefed, debriefed, or
> > numbered!
> > My life is my own - No. 6
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss