Le mercredi 31 décembre 2008 à 12:05 -0500, Angus McIntyre a écrit : > fso...@systea.net wrote: > > one of my servers reported the same LKM this night. "Massive" attack ? > > A manual check at morning don't send warning anymore. > > That's what I saw. > > > At the same time, tripwire don't report any changes on files... > > chkrootkit say nothing too, and OSSEC just report at 3:00 AM an hidden > > tcp port 53895 that I don't find with netstat or nmap... Even with a > > netstat file transfered from another server with the same config, to > > avoid using a compromised binary. > > chkrootkit initially reported a hidden process and other suspicious > activity, then stopped (it exits with a report of 'stack smashing', which > may or may not be suspicious).
Here it had no error when running via cron at 6:00AM. But note that it seems to test Adore worm but not Sebek... I just run it manually and receive no warning and no execution error. > > Either this thing is good at covering its tracks, or I blocked some of its > components by turning SELinux back to enforcing. > > > It seems that this rootkit is a kernel one. How manually test if it is > > installed ? > > There are some suggestions at: > > http://seclists.org/honeypots/2004/q1/0077.html > > http://www.securityfocus.com/infocus/1828 > I look at this links. Thank you. However : happy new year... > Angus > > > Le mercredi 31 décembre 2008 à 08:22 -0500, Angus McIntyre a écrit : > > > >> My overnight run of rkhunter 1.3.2 on a Fedora Core 7 machine issued > >> the following warning: > >> > >> Warning: Sebek LKM [ Warning ] > >> Kernel symbol 'adore or sebek' found > >> > >> The log lines read: > >> > >> [04:37:32] Checking for Sebek LKM... > >> [04:37:32] Checking for kernel symbol 'adore or sebek' [ Found > >> ] > >> [04:37:32] Warning: Sebek LKM [ > >> Warning ] > >> [04:37:32] Kernel symbol 'adore or sebek' found > >> > >> When I re-run the check manually, rkhunter gives the system an > >> all-clear and doesn't report any sign of Sebek. > >> > >> Running chkrootkit reports: > >> > >> Checking `lkm'... You have 1 process hidden for readdir command > >> You have 1 process hidden for ps command > >> chkproc: Warning: Possible LKM Trojan installed > >> > >> Checking `chkutmp'... *** stack smashing detected ***: ./chkutmp > >> terminated > >> /usr/lib/chkrootkit-0.48/chkrootkit: line 172: > >> 22700 Aborted ./chkutmp > >> > >> Do I assume that my system is compromised, and that the attackers > >> have not only installed Sebek, but have crippled rkhunter so that it > >> can't detect it any more? > >> > >> If anyone has any tips on where to go next to get rid of the > >> installed rootkit, these would be appreciated. > >> > >> Thanks, > >> > >> Angus > >> > >> ------------------------------------------------------------------------------ > >> _______________________________________________ > >> Rkhunter-users mailing list > >> Rkhunter-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/rkhunter-users > >> > > > > > > Cordialement, > > Frank Soyer > > Systea IG > > ------------------------------------------------------------------------------ > > _______________________________________________ > > Rkhunter-users mailing list > > Rkhunter-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > > > Cordialement, Frank Soyer Systea IG
------------------------------------------------------------------------------
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
