chkroot warning
This is a discussion on chkroot warning within the Linux Security forums, part of the System Security and Security Related category; Hi all, I've got the following warning in chkroot. Could someone please let me know what it means and ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-06-2004
|
|||
|
|||
chkroot warning
Hi all, I've got the following warning in chkroot. Could someone please let
me know what it means and what should be my next step: [snip] Checking `lkm'... You have 11 process hidden for readdir command You have 11 process hidden for ps command Warning: Possible LKM Trojan installed [snip] Thanks suse9.1 
|
|
08-06-2004
|
|||
|
|||
|
Re: chkroot warning
On Fri, 06 Aug 2004 00:59:17 GMT, rsina wrote:
> Hi all, I've got the following warning in chkroot. Could someone please let > me know what it means and what should be my next step: > > [snip] > Checking `lkm'... You have 11 process hidden for readdir command > You have 11 process hidden for ps command > Warning: Possible LKM Trojan installed Running mozilla/firefox/thunderbird in other windows perhaps. If Suse uses rpm database, you might run rpm -Va | grep '..5' > /tmp/verify and see if you have bin/ file changes.
|
|
08-06-2004
|
|||
|
|||
|
Re: chkroot warning
rsina.no-ssppaamm@earthlink.net
news:FJAQc.1943$nx2.38@newsread2.news.atl.earthlin k.net > Hi all, I've got the following warning in chkroot. Could someone > please let me know what it means and what should be my next step: > [snip] > Checking `lkm'... You have 11 process hidden for readdir command > You have 11 process hidden for ps command > Warning: Possible LKM Trojan installed > [snip] Hi, I'm a linux newbie myself, but I was just now reading Debian documentation before installing it, and I came across this subject, maybe You will find this usefull also http://www.debian.org/doc/manuals/se...9.en.html#s9.4 AFAIK this is not only debian-specyfic. Anyway, if this is _realy_ an attack taking place *right now* You shold perhaps turn off computer power (try not to ue any HDD's to avoid file system corruption) - by pluging out the power cable. This is drastic approach but it will prevent attacker for installing something like "if network connection is broken, or if user is pressing power-off switch /witch gives 4 seconds on new mainboard before reboot/ - them remove all HDD - rm -rf /" On the other hand it might damage file system a bit... Your's choise. So turn somehow computer down, move HDD to other PC, make full backup of entire HDD, (user data - /home/*) and all log files, analyze them, and reinstall system if it was in fat compromised. All above is just IMHO. -- ~~~~=~~~~l_;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ _|\___J \____, Pozdrawiam, moje www, C++, kontakt, itd.: X-( ssn256 ) Rafal Maj Raf256 - http://www.raf256.com/me-news/ ,"-------------" (strona w budowie)
|
|
08-06-2004
|
|||
|
|||
|
Re: chkroot warning
"Rafal 'Raf256' Maj" <spam@raf256.com> wrote in
news:Xns953D21D273F88raf256com@213.180.128.20: > Anyway, if this is _realy_ an attack taking place *right now* You shold > perhaps turn off computer power (try not to ue any HDD's to avoid file > system corruption) - by pluging out the power cable. > Yanking the network cable to take it off the net works as well and avoids the file corruption problem Gandalf Parker -- Saying your system is secure should be considered the same as saying your food is too hot. Its a temporary condition which is going away even as you speak.
|
|
08-06-2004
|
|||
|
|||
|
Re: chkroot warning
rsina wrote:
> Hi all, I've got the following warning in chkroot. Could someone please > let me know what it means and what should be my next step: > > [snip] > Checking `lkm'... You have 11 process hidden for readdir command > You have 11 process hidden for ps command > Warning: Possible LKM Trojan installed > [snip] > > Thanks > suse9.1 This is from the Mandrake list, but it also pertains to the lkm trojan, might be of some help. Just follow the threads by going to the bottom of the message and select "next in thread" http://marc.theaimsgroup.com/?l=mand...5959631981&w=2 HTH -- Chris Registered Linux User 283774 http://counter.li.org 10:00pm up 1 day, 2:20, 2 users, load average: 0.89, 0.99, 1.04 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ "I'll rob that rich person and give it to some poor deserving slob. That will *prove* I'm Robin Hood." -- Daffy Duck, "Robin Hood Daffy", [1958, Chuck Jones] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~
|
|
08-06-2004
|
|||
|
|||
|
Re: chkroot warning
Thanks for all the replies, I did a chkrootkit -x lkm as was suggested in
the link below and out of the 11 processes, 4 is for soffice, 2 if for knode (news reader) and 5 is for nscd. I don't know why nscd is running. I've never started it and I didn't know anything about it until now. I'm using my machine as a desktop attached to the net via pppoE, so I'm not sure if to accept nscd process being normal or not. Chris wrote: > rsina wrote: > >> Hi all, I've got the following warning in chkroot. Could someone please >> let me know what it means and what should be my next step: >> >> [snip] >> Checking `lkm'... You have 11 process hidden for readdir command >> You have 11 process hidden for ps command >> Warning: Possible LKM Trojan installed >> [snip] >> >> Thanks >> suse9.1 > > This is from the Mandrake list, but it also pertains to the lkm trojan, > might be of some help. Just follow the threads by going to the bottom of > the message and select "next in thread" > > http://marc.theaimsgroup.com/?l=mand...5959631981&w=2 > > > HTH >
|
|
08-06-2004
|
|||
|
|||
|
Re: chkroot warning
Gandalf Parker <gandalf@most.of.my.favorite.sites> writes:
> "Rafal 'Raf256' Maj" <spam@raf256.com> wrote in > news:Xns953D21D273F88raf256com@213.180.128.20: > >> Anyway, if this is _realy_ an attack taking place *right now* You shold >> perhaps turn off computer power (try not to ue any HDD's to avoid file >> system corruption) - by pluging out the power cable. > > Yanking the network cable to take it off the net works as well and avoids > the file corruption problem Either way it would tell a potential cracker you're onto them, and you won't be able to debug anything while you're switched-off, nor will you see viable network traffic if you sniff the device. So all in all, the "yank it out the wall" approach really is a crap idea. ~Tim -- River of millions flow downstream |piglet@stirfried.vegetable.org.uk A golden highway to the sea of dreams |http://spodzone.org.uk/
|
|
08-06-2004
|
|||
|
|||
|
Re: chkroot warning
rsina wrote:
> Thanks for all the replies, I did a chkrootkit -x lkm as was suggested in > the link below and out of the 11 processes, 4 is for soffice, 2 if for > knode (news reader) and 5 is for nscd. I don't know why nscd is running. > I've never started it and I didn't know anything about it until now. I'm > using my machine as a desktop attached to the net via pppoE, so I'm not > sure if to accept nscd process being normal or not. I don't know about Mandrake, never having used it, but the SuSE versions I've used set up nscd by default, whether you're on a network or not, so it's at least possible that Mandrake does as well. -- ZZzz |\ _,,,---,,_ Travis S. Casey <efindel@earthlink.net> /,`.-'`' -. ;-;;,_ No one agrees with me. Not even me. |,4- ) )-,_..;\ ( `'-' '---''(_/--' `-'\_)
|
|
08-06-2004
|
|||
|
|||
|
Re: chkroot warning
Tim Haynes <usenet-20040806@stirfried.vegetable.org.uk> wrote in
news:86r7qk1wk6.fsf@potato.vegetable.org.uk: > Gandalf Parker <gandalf@most.of.my.favorite.sites> writes: > >> "Rafal 'Raf256' Maj" <spam@raf256.com> wrote in >> news:Xns953D21D273F88raf256com@213.180.128.20: >> >>> Anyway, if this is _realy_ an attack taking place *right now* You >>> shold perhaps turn off computer power (try not to ue any HDD's to >>> avoid file system corruption) - by pluging out the power cable. >> >> Yanking the network cable to take it off the net works as well and >> avoids the file corruption problem > > Either way it would tell a potential cracker you're onto them, and you > won't be able to debug anything while you're switched-off, nor will > you see viable network traffic if you sniff the device. So all in all, > the "yank it out the wall" approach really is a crap idea. Agreed. Personally I love doing online forensics of a cracked box. The dangers arent nearly as great as the possible fun and learning. But thats just my opinion. The standard plague response of "destroy everything and start over" is probably the best answer for anyone who would be coming here to ask what to do. If you want to learn on the subject, run a honeypot. Although there has been a huge drop in what you can get with one. Gandalf Parker -- A popular package might mean its good but it doesnt mean its secure. In fact, quite the opposite.
|
|
08-07-2004
|
|||
|
|||
|
Re: chkroot warning
On Fri, 06 Aug 2004 00:59:17 +0000, rsina wrote:
> Hi all, I've got the following warning in chkroot. Could someone please let > me know what it means and what should be my next step: > > [snip] > Checking `lkm'... You have 11 process hidden for readdir command > You have 11 process hidden for ps command > Warning: Possible LKM Trojan installed > [snip] > > Thanks > suse9.1 Chkrootkit reports an lkm trojan with the 2.6 kernel unless you install a patched version. This has to do with the way the 2.6 kernel handles memory over the 2.4 kernel. Here is a link to a more up to date version: http://trific.ath.cx/resources/rpm/chkrootkit/ Chkrootkit reported me as having an lkm trojan, but stopped reporting such when i installed the latest version from the src rpm. -- Athlon Processor Linux Registered User # 346717
|
Linear Mode
