lkm trojan

_at_(none)
Date: 02/07/04

  • Next message: Fleur de Lis: "from Peter Brown" 
    Date: Sat, 07 Feb 2004 10:35:20 +0100
To: debian-user <debian-user@lists.debian.org>

    Hi,

    further to my 4 hidden processes, "ps" finds exactly 4 processes with
    PID # 0!
    See the scriptfile below.
    I later found out that "top" numbers these processes as 3,4,5 & 6, same
    sequence.
    The names of the processes

    I find this hard to understand:

    Does LKM trojan and the 0's mean that these 4 are sabotaged Loadable
    Kernel Modules?
    Can I just compare/recopy these?
    I do have another healthy Sarge system, both with kernel 2.4.22.
    Or will the (LKM)trojan then recopy it's own version later?

    Or/and does hidden from ps mean, that /usr/bin/ps has been doctored?
    And should I compare/recopy this one?
    The last process nevertheless claims to be my ps aux command itself.
    All Kretenzers lie, said the Kretenzer ;-).

    Or perhaps this is all a rather innocent bug in "ps".

    Could the intrusion be that XMMS launched a naughty .mp3? That I
    downloaded myself.
    Even though XMMS does not run as root?

    In the meantime I reinstalled one compromised PC, but kept this one for
    learning,
    ran bastille, improved my password habits, turned off WAN ping replies
    from my router,
    am turning off this hardware router when not using internet (24/7 on
    before),
    installed sxid, temporarily tried out some other anti intrusion packages
    you-all
    recommended (thanks) and deinstalled anything "server" that I can do
    without.
    Anyway, since Feb 1 no new (log?)deletion(s). Of which there were
    several before.

    If I need to reinstall I might try out kernel 2.6 first.
    That even may shake out malignant modules. Two birds with one stone ;-).

    Any more advice or comment?

    mvg Boudewijn

    Script started on za 07 feb 2004 08:08:07 CET
    ijbd@fuji:~$ su
    Password:
    root@fuji:/home/ijbd# chkrootkit -q

    /usr/lib/nessus/plugins/.desc
    /usr/lib/nessus/plugins/.desc
    You have 4 process hidden for ps command
    Warning: Possible LKM Trojan installed
    1 deletion(s) between Sun Feb 1 19:22:59 2004 and Sun Feb 1 20:21:54 2004
    root@fuji:/home/ijbd# ps aux
    USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
    root 1 0.1 0.0 76 76 ? S 06:47 0:08 init [5]
    root 2 0.0 0.0 0 0 ? SW 06:47 0:00 [keventd]
    root 0 0.0 0.0 0 0 ? SWN 06:47 0:00
    [ksoftirqd_CPU0]
    root 0 0.0 0.0 0 0 ? SW 06:47 0:00 [kswapd]
    root 0 0.0 0.0 0 0 ? SW 06:47 0:00 [bdflush]
    root 0 0.0 0.0 0 0 ? SW 06:47 0:00 [kupdated]
    root 8 0.0 0.0 0 0 ? SW 06:47 0:00 [kreiserfsd]
    root 71 0.0 0.0 0 0 ? SW 06:48 0:00 [kapmd]
    root 75 0.0 0.0 0 0 ? SW 06:48 0:00 [khubd]
    root 263 0.0 0.1 1728 752 ? S 06:48 0:00 pump -i eth0
    root 265 0.0 0.0 0 0 ? SW 06:48 0:00 [eth0]
    daemon 269 0.0 0.1 1708 604 ? S 06:48 0:00 /sbin/portmap

    etc, etc,,,,,,,,,,

    root 7286 0.0 0.1 2472 820 pts/1 R 08:09 0:00 ps aux
    root@fuji:/home/ijbd# exit
    ijbd@fuji:~$
    Script done on za 07 feb 2004 08:09:12 CET 

    -- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
  • Next message: Fleur de Lis: "from Peter Brown"