Re: [Rkhunter-users] Transient Sebek warning

Wed, 31 Dec 2008 08:17:55 -0800 

Hi,
one of my servers reported the same LKM this night. "Massive" attack ?
A manual check at morning don't send warning anymore.
At the same time, tripwire don't report any changes on files...
chkrootkit say nothing too, and OSSEC just report at 3:00 AM an hidden
tcp port 53895 that I don't find with netstat or nmap... Even with a
netstat file transfered from another server with the same config, to
avoid using a compromised binary.

It seems that this rootkit is a kernel one. How manually test if it is
installed ?

Le mercredi 31 décembre 2008 à 08:22 -0500, Angus McIntyre a écrit :

> My overnight run of rkhunter 1.3.2 on a Fedora Core 7 machine issued 
> the following warning:
> 
>    Warning: Sebek LKM                                [ Warning ]
>    Kernel symbol 'adore or sebek' found
> 
> The log lines read:
> 
>    [04:37:32] Checking for Sebek LKM...
>    [04:37:32]   Checking for kernel symbol 'adore or sebek'     [ Found ]
>    [04:37:32] Warning: Sebek LKM                                [ Warning ]
>    [04:37:32]          Kernel symbol 'adore or sebek' found
> 
> When I re-run the check manually, rkhunter gives the system an 
> all-clear and doesn't report any sign of Sebek.
> 
> Running chkrootkit reports:
> 
>    Checking `lkm'... You have     1 process hidden for readdir command
>    You have     1 process hidden for ps command
>    chkproc: Warning: Possible LKM Trojan installed
> 
>    Checking `chkutmp'... *** stack smashing detected ***: ./chkutmp
>    terminated
>    /usr/lib/chkrootkit-0.48/chkrootkit: line 172:
>    22700 Aborted                 ./chkutmp
> 
> Do I assume that my system is compromised, and that the attackers 
> have not only installed Sebek, but have crippled rkhunter so that it 
> can't detect it any more?
> 
> If anyone has any tips on where to go next to get rid of the 
> installed rootkit, these would be appreciated.
> 
> Thanks,
> 
> Angus
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Rkhunter-users mailing list
> Rkhunter-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
> 


Cordialement,
Frank Soyer
Systea IG

------------------------------------------------------------------------------

_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to