fso...@systea.net wrote: > one of my servers reported the same LKM this night. "Massive" attack ? > A manual check at morning don't send warning anymore.
That's what I saw. > At the same time, tripwire don't report any changes on files... > chkrootkit say nothing too, and OSSEC just report at 3:00 AM an hidden > tcp port 53895 that I don't find with netstat or nmap... Even with a > netstat file transfered from another server with the same config, to > avoid using a compromised binary. chkrootkit initially reported a hidden process and other suspicious activity, then stopped (it exits with a report of 'stack smashing', which may or may not be suspicious). Either this thing is good at covering its tracks, or I blocked some of its components by turning SELinux back to enforcing. > It seems that this rootkit is a kernel one. How manually test if it is > installed ? There are some suggestions at: http://seclists.org/honeypots/2004/q1/0077.html http://www.securityfocus.com/infocus/1828 Angus > Le mercredi 31 décembre 2008 à 08:22 -0500, Angus McIntyre a écrit : > >> My overnight run of rkhunter 1.3.2 on a Fedora Core 7 machine issued >> the following warning: >> >> Warning: Sebek LKM [ Warning ] >> Kernel symbol 'adore or sebek' found >> >> The log lines read: >> >> [04:37:32] Checking for Sebek LKM... >> [04:37:32] Checking for kernel symbol 'adore or sebek' [ Found >> ] >> [04:37:32] Warning: Sebek LKM [ >> Warning ] >> [04:37:32] Kernel symbol 'adore or sebek' found >> >> When I re-run the check manually, rkhunter gives the system an >> all-clear and doesn't report any sign of Sebek. >> >> Running chkrootkit reports: >> >> Checking `lkm'... You have 1 process hidden for readdir command >> You have 1 process hidden for ps command >> chkproc: Warning: Possible LKM Trojan installed >> >> Checking `chkutmp'... *** stack smashing detected ***: ./chkutmp >> terminated >> /usr/lib/chkrootkit-0.48/chkrootkit: line 172: >> 22700 Aborted ./chkutmp >> >> Do I assume that my system is compromised, and that the attackers >> have not only installed Sebek, but have crippled rkhunter so that it >> can't detect it any more? >> >> If anyone has any tips on where to go next to get rid of the >> installed rootkit, these would be appreciated. >> >> Thanks, >> >> Angus >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Rkhunter-users mailing list >> Rkhunter-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/rkhunter-users >> > > > Cordialement, > Frank Soyer > Systea IG > ------------------------------------------------------------------------------ > _______________________________________________ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > -- ------------------------------------------------------------------------------ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
