How can I be sure if it is LKM or not?
Today I've run chkrootkit and it gave me:
Checking `lkm'... You have 179 process hidden for readdir command You have 179 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed
Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 3206 tty1 /sbin/mingetty tty1 ! root 3285 tty2 /sbin/mingetty tty2 ! root 3337 tty3 /sbin/mingetty tty3 ! root 3388 tty4 /sbin/mingetty tty4 ! root 3439 tty5 /sbin/mingetty tty5
Those hidden tty can be "su -" sessions that I have just started. The computer has just been restarted, and I have just opened those su sessions.
There are also some "hidden files", all of them named .packlist and .exists. Everything else is fine.
rkhunter looks fine.
" rpm -Va kernel* " looks fine.
Remote users access are being controlled through /etc/ssh/sshd_config in a user-host fashion.
Thanks in advance.
On 12/22/06, Leonardo Vilela Pinheiro leopinheiro@gmail.com wrote:
How can I be sure if it is LKM or not?
Today I've run chkrootkit and it gave me:
Checking `lkm'... You have 179 process hidden for readdir command You have 179 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed
Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 3206 tty1 /sbin/mingetty tty1 ! root 3285 tty2 /sbin/mingetty tty2 ! root 3337 tty3 /sbin/mingetty tty3 ! root 3388 tty4 /sbin/mingetty tty4 ! root 3439 tty5 /sbin/mingetty tty5
Those hidden tty can be "su -" sessions that I have just started. The computer has just been restarted, and I have just opened those su sessions.
There are also some "hidden files", all of them named .packlist and .exists. Everything else is fine.
rkhunter looks fine.
" rpm -Va kernel* " looks fine.
Remote users access are being controlled through /etc/ssh/sshd_config in a user-host fashion.
Thanks in advance.
-- Vilela
It is a Centos 4.4 box.
Compare with the result of this: http://www.security-projects.com/?Unhide and tell us.
Leonardo Vilela Pinheiro wrote:
On 12/22/06, Leonardo Vilela Pinheiro leopinheiro@gmail.com wrote:
How can I be sure if it is LKM or not?
Today I've run chkrootkit and it gave me:
Checking `lkm'... You have 179 process hidden for readdir command You have 179 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed
Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 3206 tty1 /sbin/mingetty tty1 ! root 3285 tty2 /sbin/mingetty tty2 ! root 3337 tty3 /sbin/mingetty tty3 ! root 3388 tty4 /sbin/mingetty tty4 ! root 3439 tty5 /sbin/mingetty tty5
Those hidden tty can be "su -" sessions that I have just started. The computer has just been restarted, and I have just opened those su sessions.
There are also some "hidden files", all of them named .packlist and .exists. Everything else is fine.
rkhunter looks fine.
" rpm -Va kernel* " looks fine.
Remote users access are being controlled through /etc/ssh/sshd_config in a user-host fashion.
Thanks in advance.
-- Vilela
It is a Centos 4.4 box.
On 12/22/06, Lorenzo Martínez Rodríguez Lawwait@yahoo.es wrote:
Compare with the result of this: http://www.security-projects.com/?Unhide and tell us.
Unhide doesn´t reveal any hidden processes or TCP ports.
Thanks
-
Leonardo Vilela Pinheiro -
Lorenzo Martínez Rodríguez