lkm trojan

jlvsimoes · 2003-11-03 21:40:48

wath do you now about this tipe of trojan
i got some hidden process on ps and most problably im infected i searched a litle for default paterns of the trojan and i see none but that does not mean im not infected
question 1º chkrootkit can it false alarme lkm trojan
question 2º will it be ever possible to remove this bastard out of here

terrapin · 2003-11-03 21:53:18

I also had reports that I had that trojan after running chkrootkit. I haven't done anything with that machine besides turning it off but I am curious to know what others have to say.

sarah31 · 2003-11-03 22:45:26

i don't know what package it is that creates them but there are four empty processes created that raises the flag in chrootkit. if i remember correctly the message you get is a warning and nothing else.

Xentac · 2003-11-03 23:19:44

That's exactly what it is, a warning.

I'm pretty sure they're kernel processes (cause they have a 'k' at the beginning of them). If you do a 'ps ax' you'll notice four of them have 0's as the PIDs, which is definatly not correct. This is what chkrootkit is noticing (because it's looking for the PIDs listed in /proc).

terrapin · 2003-11-04 00:34:41

I was able to compare my system files with a known secure system and everything checked out. I was also able to run chkrootkit after a reboot and everything checked out again. Glad to hear that both Sarah and Xentac had heard about it and I feel comfortable knowing that my system is still secure.

jlvsimoes · 2003-11-04 02:11:03

yes yes never trusting and im puzzled i got from 9 to 11 process hiden to ps but ps itself is not infected

jlvsimoes · 2003-11-04 02:24:34

and now for something realy freaky
su - jlvsimoes
Unable to cd to "/home/jlvsimoes"
su jlvsimoes
Cannot execute /bin/bash: Permission denied
" permission denied ??? for god im root ... "

login
routty login: jlvsimoes

Password: ........
routty login: jlvsimoes
Password:
Last login: Tue Nov 4 02:13:15 2003 on vc/3
Unable to cd to "/home/jlvsimoes
la /bin/bash
-rwxr-xr-x 1 0 100 673K Nov 4 00:41 /bin/bash
"im traped on root ...... "

Xentac · 2003-11-04 03:08:16

Check for /home/jlvsimoes... does it exist? It's not root who's trying to execute /bin/bash, it's jlvsimoes (even then, the permissions don't seem to be the problem...).

Xentac · 2003-11-04 03:10:19

terrapin wrote:

Glad to hear that both Sarah and Xentac had heard about it and I feel comfortable knowing that my system is still secure.

Heard about it? I ran into it... not only that... but I researched it to figure out what it meant!

zen_guerrilla · 2003-11-08 12:19:09

terrapin wrote:

I also had reports that I had that trojan after running chkrootkit.

Chkrootkit has a bug. I get the same problem on my debian sid boxes. For more info check http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278.

Arch Linux

#1 2003-11-03 21:40:48

lkm trojan

#2 2003-11-03 21:53:18

Re: lkm trojan

#3 2003-11-03 22:45:26

Re: lkm trojan

#4 2003-11-03 23:19:44

Re: lkm trojan

#5 2003-11-04 00:34:41

Re: lkm trojan

#6 2003-11-04 02:11:03

Re: lkm trojan

#7 2003-11-04 02:24:34

Re: lkm trojan

#8 2003-11-04 03:08:16

Re: lkm trojan

#9 2003-11-04 03:10:19

Re: lkm trojan

#10 2003-11-08 12:19:09

Re: lkm trojan

Board footer