[SLUG] LKM rootkits

• Next message: Ian C. Blenke: "Re: [SLUG] LKM rootkits"
• Previous message: spamfree@tampabay.rr.com: "Re: [SLUG] Has anyone tried/seen this?"
• Next in thread: Ian C. Blenke: "Re: [SLUG] LKM rootkits"
• Reply: Ian C. Blenke: "Re: [SLUG] LKM rootkits"
• Reply: Ian C. Blenke: "Re: [SLUG] LKM rootkits"
• Reply: Derek Glidden: "Re: [SLUG] LKM rootkits"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

One of our boxes got hack two nights ago. I believe it was LKM and
chkrootkit agrees also. I suspected that the cracker was using port 443
(https) to access the box since nmap from another box did not show any
suspectable ports. I believe the cracker had used a bindtty.c utility to
get a telnet prompt on tty1 using port 443. chkrootkit shows there were 1
process hidden from ps command and 1 process hidden from readdir command.

What tools are available to find out these hidden process?

I tried to compile knarkfind.c, but it errors out.

Ian or any linux gurus out there?

-- 
Kai Lien
Fortune Cookie of the Day:
I have often regretted my speech, never my silence.
		-- Publilius Syrus

• Next message: Ian C. Blenke: "Re: [SLUG] LKM rootkits"
• Previous message: spamfree@tampabay.rr.com: "Re: [SLUG] Has anyone tried/seen this?"
• Next in thread: Ian C. Blenke: "Re: [SLUG] LKM rootkits"
• Reply: Ian C. Blenke: "Re: [SLUG] LKM rootkits"
• Reply: Ian C. Blenke: "Re: [SLUG] LKM rootkits"
• Reply: Derek Glidden: "Re: [SLUG] LKM rootkits"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:52:19 EDT