You are not logged in.

#1 2003-11-03 21:40:48

jlvsimoes
Member
From: portugal
Registered: 2002-12-23
Posts: 392
Website

lkm trojan

wath do you now about this tipe of trojan
i got some hidden process on ps and most problably im infected i searched a litle for default paterns of the trojan and i see none but that does not mean im not infected
question 1º chkrootkit can it false alarme lkm trojan
question 2º will it be ever possible to remove this bastard out of here


-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GU/ d- s: a- C L U P+ L+++ E--- W+
N 0+ K- W-- !O !M V-- PS+ PE- V++ PGP T 5 Z+ R* TV+ B+
DI-- D- G-- e-- h! r++ z+ z*
------END GEEK CODE BLOCK------

Offline

#2 2003-11-03 21:53:18

terrapin
Member
From: Lockport, IL
Registered: 2003-08-06
Posts: 104

Re: lkm trojan

I also had reports that I had that trojan after running chkrootkit.  I haven't done anything with that machine besides turning it off but I am curious to know what others have to say.

Offline

#3 2003-11-03 22:45:26

sarah31
Member
From: Middle of Canada
Registered: 2002-08-20
Posts: 2,975
Website

Re: lkm trojan

i don't know what package it is that creates them but there are four empty processes created that raises the flag in chrootkit. if i remember correctly the message you get is a warning and nothing else.


AKA uknowme

I am not your friend

Offline

#4 2003-11-03 23:19:44

Xentac
Forum Fellow
From: Victoria, BC
Registered: 2003-01-17
Posts: 1,797
Website

Re: lkm trojan

That's exactly what it is, a warning.

I'm pretty sure they're kernel processes (cause they have a 'k' at the beginning of them).  If you do a 'ps ax' you'll notice four of them have 0's as the PIDs, which is definatly not correct.  This is what chkrootkit is noticing (because it's looking for the PIDs listed in /proc).


I have discovered that all of mans unhappiness derives from only one source, not being able to sit quietly in a room
- Blaise Pascal

Offline

#5 2003-11-04 00:34:41

terrapin
Member
From: Lockport, IL
Registered: 2003-08-06
Posts: 104

Re: lkm trojan

I was able to compare my system files with a known secure system and everything checked out.  I was also able to run chkrootkit after a reboot and everything checked out again.  Glad to hear that both Sarah and Xentac had heard about it and I feel comfortable knowing that my system is still secure.

Offline

#6 2003-11-04 02:11:03

jlvsimoes
Member
From: portugal
Registered: 2002-12-23
Posts: 392
Website

Re: lkm trojan

yes yes never trusting and im puzzled i got from 9 to 11 process hiden to ps but ps itself is not infected


-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GU/ d- s: a- C L U P+ L+++ E--- W+
N 0+ K- W-- !O !M V-- PS+ PE- V++ PGP T 5 Z+ R* TV+ B+
DI-- D- G-- e-- h! r++ z+ z*
------END GEEK CODE BLOCK------

Offline

#7 2003-11-04 02:24:34

jlvsimoes
Member
From: portugal
Registered: 2002-12-23
Posts: 392
Website

Re: lkm trojan

and now for something realy freaky
su - jlvsimoes
Unable to cd to "/home/jlvsimoes"
su jlvsimoes
Cannot execute /bin/bash: Permission denied
" permission denied ??? for god im root ... "

login
routty login: jlvsimoes

Password: ........
routty login: jlvsimoes
Password:
Last login: Tue Nov  4 02:13:15 2003 on vc/3
Unable to cd to "/home/jlvsimoes
la /bin/bash
-rwxr-xr-x    1 0        100          673K Nov  4 00:41 /bin/bash
"im traped on root ...... "


-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GU/ d- s: a- C L U P+ L+++ E--- W+
N 0+ K- W-- !O !M V-- PS+ PE- V++ PGP T 5 Z+ R* TV+ B+
DI-- D- G-- e-- h! r++ z+ z*
------END GEEK CODE BLOCK------

Offline

#8 2003-11-04 03:08:16

Xentac
Forum Fellow
From: Victoria, BC
Registered: 2003-01-17
Posts: 1,797
Website

Re: lkm trojan

Check for /home/jlvsimoes... does it exist?  It's not root who's trying to execute /bin/bash, it's jlvsimoes (even then, the permissions don't seem to be the problem...).


I have discovered that all of mans unhappiness derives from only one source, not being able to sit quietly in a room
- Blaise Pascal

Offline

#9 2003-11-04 03:10:19

Xentac
Forum Fellow
From: Victoria, BC
Registered: 2003-01-17
Posts: 1,797
Website

Re: lkm trojan

terrapin wrote:

Glad to hear that both Sarah and Xentac had heard about it and I feel comfortable knowing that my system is still secure.

Heard about it?  I ran into it... not only that... but I researched it to figure out what it meant!   tongue


I have discovered that all of mans unhappiness derives from only one source, not being able to sit quietly in a room
- Blaise Pascal

Offline

#10 2003-11-08 12:19:09

zen_guerrilla
Member
From: Greece
Registered: 2002-12-22
Posts: 259

Re: lkm trojan

terrapin wrote:

I also had reports that I had that trojan after running chkrootkit.

Chkrootkit has a bug. I get the same problem on my debian sid boxes. For more info check http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278.

Offline

Board footer

Powered by FluxBB