On Wed, 2008-12-31 at 08:22 -0500, Angus McIntyre wrote: > My overnight run of rkhunter 1.3.2 on a Fedora Core 7 machine issued > the following warning: > > Warning: Sebek LKM [ Warning ] > Kernel symbol 'adore or sebek' found > > The log lines read: > > [04:37:32] Checking for Sebek LKM... > [04:37:32] Checking for kernel symbol 'adore or sebek' [ Found ] > [04:37:32] Warning: Sebek LKM [ Warning ] > [04:37:32] Kernel symbol 'adore or sebek' found > > When I re-run the check manually, rkhunter gives the system an > all-clear and doesn't report any sign of Sebek. > Hmm, odd. The sebek check is done by looking in the /proc/ksyms or /proc/kallsyms file for 'sebek'. The check for adore does the same, but it also has additional checks, like looking at the stored module names and running processes. As such if adore was found, then I would expect more than one test to fail (unless the kernel module was installed, RKH ran, and then the module removed). Similarly if sebek was installed then I would expect it to still be there, unless it has since been removed.
> Running chkrootkit reports: > > Checking `lkm'... You have 1 process hidden for readdir command > You have 1 process hidden for ps command > chkproc: Warning: Possible LKM Trojan installed > > Checking `chkutmp'... *** stack smashing detected ***: ./chkutmp > terminated > /usr/lib/chkrootkit-0.48/chkrootkit: line 172: > 22700 Aborted ./chkutmp > Not good that another package reports a possible LKM as well. > Do I assume that my system is compromised, > I would certainly treat it as suspicious. The FAQ contains a bit more info about what to do if a rootkit is found. Ultimately though it means offlining the system and rebuilding it. > and that the attackers > have not only installed Sebek, but have crippled rkhunter so that it > can't detect it any more? > You can install the latest RKH version as a standalone install (details in the latest README of how to install RKH without actually installing it). Run this, and see if sebek/adore is still detected. My concern, however, would be that even if RKH says that it is no longer there, it did say that it was there before. And that means the system has been compromised. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: john.ho...@plymouth.ac.uk Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
