On Sat, 8 Feb 2003, terry white wrote: > on "2-7-2003" "Craig Holmes" writ: > > : On February 7, 2003 07:41 am, Rivanor P. Soares wrote: > : > Checking `lkm'... You have 69 process hidden for ps command > : > Warning: Possible LKM Trojan installed > : > Could this be *true* ? How can I discover it? > > : If this is true, then your 'ps' binary has been replaced with one that filters > : certain processes from your viewing. > > : The best, easiest method to determine if this is true, > > ... i created a directory, copied 'ps' et al to it, and used chattr on > them. having a known good binary outside $PATH is something of a comfort > ...
Yes, indeed, but how do you prevent the ps from using a tampered glibc or other libs? I usually statically compile a standard set of utilities (ls, ps, netstat, chkrootkit, etc.), tar.Z them up (some systems still don't have gzip or bzip2) and dump the tools into a working directory on the "suspect" system. Then I set my path to utilize that directory during my inspection. This limits the toolset such that all I have to worry about is a tampered shell. Just a suggestion, seeing as the source is so readily available and works spectacularly on Linux. Sincerely, Shawn M. Jones
