Re: [SLUG] LKM rootkits

From: Ian C. Blenke (icblenke@nks.net)
Date: Wed Feb 26 2003 - 15:48:31 EST


On Wednesday 26 February 2003 15:36, Kai Lien wrote:
> One of our boxes got hack two nights ago. I believe it was LKM and
> chkrootkit agrees also. I suspected that the cracker was using port 443
> (https) to access the box since nmap from another box did not show any
> suspectable ports. I believe the cracker had used a bindtty.c utility to
> get a telnet prompt on tty1 using port 443. chkrootkit shows there were 1
> process hidden from ps command and 1 process hidden from readdir command.
>
> What tools are available to find out these hidden process?
>
> I tried to compile knarkfind.c, but it errors out.
>
> Ian or any linux gurus out there?

Once you find that you've been rootkitted, rebuild your box. You can no longer
trust anything on that install. It's that simple, really.

Alternatively, if you *had* been using a tripwire system like Integrit and
have the "known good" list of file hashes before you were owned, it might be
possible to check what files have been changed and with some care you might
be able to trust that box again. But I wouldn't.

Seriously, rebuild that box.

-- 
- Ian C. Blenke <icblenke@nks.net>

(This message bound by the following: http://www.nks.net/email_disclaimer.html)



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:52:23 EDT