Well. module_hunter and scprint (http://themightyowl.com/ExitTheMatrix/misc/kernel_auditor/) (thanks to Angus) don't report any error...
I'm not sure what to think... Le mercredi 31 décembre 2008 à 22:51 +0000, John Horne a écrit : > On Wed, 2008-12-31 at 08:22 -0500, Angus McIntyre wrote: > > My overnight run of rkhunter 1.3.2 on a Fedora Core 7 machine issued > > the following warning: > > > > Warning: Sebek LKM [ Warning ] > > Kernel symbol 'adore or sebek' found > > > > The log lines read: > > > > [04:37:32] Checking for Sebek LKM... > > [04:37:32] Checking for kernel symbol 'adore or sebek' [ Found ] > > [04:37:32] Warning: Sebek LKM [ Warning ] > > [04:37:32] Kernel symbol 'adore or sebek' found > > > > When I re-run the check manually, rkhunter gives the system an > > all-clear and doesn't report any sign of Sebek. > > > Hmm, odd. The sebek check is done by looking in the /proc/ksyms > or /proc/kallsyms file for 'sebek'. The check for adore does the same, > but it also has additional checks, like looking at the stored module > names and running processes. As such if adore was found, then I would > expect more than one test to fail (unless the kernel module was > installed, RKH ran, and then the module removed). Similarly if sebek was > installed then I would expect it to still be there, unless it has since > been removed. > > > Running chkrootkit reports: > > > > Checking `lkm'... You have 1 process hidden for readdir command > > You have 1 process hidden for ps command > > chkproc: Warning: Possible LKM Trojan installed > > > > Checking `chkutmp'... *** stack smashing detected ***: ./chkutmp > > terminated > > /usr/lib/chkrootkit-0.48/chkrootkit: line 172: > > 22700 Aborted ./chkutmp > > > Not good that another package reports a possible LKM as well. > > > Do I assume that my system is compromised, > > > I would certainly treat it as suspicious. The FAQ contains a bit more > info about what to do if a rootkit is found. Ultimately though it means > offlining the system and rebuilding it. > > > and that the attackers > > have not only installed Sebek, but have crippled rkhunter so that it > > can't detect it any more? > > > You can install the latest RKH version as a standalone install (details > in the latest README of how to install RKH without actually installing > it). Run this, and see if sebek/adore is still detected. > > My concern, however, would be that even if RKH says that it is no longer > there, it did say that it was there before. And that means the system > has been compromised. > > > > > John. > Cordialement, Frank Soyer Systea IG
------------------------------------------------------------------------------
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
