On Sun, 16 Jul 2006 15:54:18 -0400, Dave S <[EMAIL PROTECTED]> wrote:
On Sunday 16 July 2006 19:54, Hemmann, Volker Armin wrote:
On Sunday 16 July 2006 20:25, Dave S wrote:
> HI, I have a potential security problem ...
>
> and err its not on gentoo, its on ubuntu but I am not getting any
> response there & you guys are the most tech bunch I know - Thought I
> would lay it on the table :)
>
> I just had an email from chkrootkit last night -
>
> ---
>
> The following suspicious files and directories were found:
>
> You have 3 process hidden for readdir command
> You have 3 process hidden for ps command
> chkproc: Warning: Possible LKM Trojan installed
>
> ---
>
> Running chkrootkit now and all is OK
>
> [EMAIL PROTECTED]:~#
> [EMAIL PROTECTED]:~# chkrootkit | grep chkproc
> Checking `lkm'... chkproc: nothing detected
> [EMAIL PROTECTED]:~#
>
> I have even 'sudo install --reinstall chkrootkit' in case its binarys
> have been modified (paranoid)
if you installed using the tools of the system, it could be worthless,
because compromised. Boot from a cd and check from the cd.
I understand. Booted from knoppix 5.0.1, executed a
'chroot /mnt/hda1 chkrootkit' and a
'chroot /mnt/hda1 rkhunter -c'
- both scans brought back nothing. From what I have read the chkrootkit &
rkhunter binarys would have been from the CD and therefore untainted ?
Am I
correct ?
Are there any other checks I can do - re-installing the system is not my
preferred option :)
Dave
I'm a newbie, so discount this appropriately.
1. IIUC, running rkhunter/chkrootkit from knoppix simply checks the
knoppix cd.
2. You want second/third opinions. IIWU,
i. I'd scan the box with a Trojan signature scanner - e.g. fprotect,
AntiVir, etc.
from Knoppix - first assuring that you have current signatures.
ii. I'd reemerge/recompile the kernel WITHOUT modules or module
support, and clear out your usr/lib/modules (though IIUC, this
can be foiled).
iii. I'd try zeppoo.
3. Try to figure out how you got it. e.g. you installed software from an
unreliable source; your privileges are screwed up; you have an unpatched
server(s) running; etc.
Maybe.... you could find the both the vector and the lkm - but
understanding that the only real solution to a
rootkit is restoring from a clean backup, or rebuilding :-(
--
[email protected] mailing list
