[lug] advice on possible rootkit
pjr at ucar.edu
pjr at ucar.edu
Thu Mar 25 19:54:07 MST 2004
I could use some advice about a possible root kit installed on a
machine I own. The machine sits behind some serious firewalls, but
our institution had some serious compromises in its security. There
have been a few odd things taking place on the machine the last couple
of days and I am being paranoid.
Today I ran chkroot (version 0.40) on the machine. I got a diagnosis
of "possible LKM trojan installed".
chkrootkit -x lkm
has the following output
###
### Output of: /usr/lib/chkrootkit/chkproc -v -v
###
PID 15: not in readdir output
PID 15: not in ps output
You have 1 process hidden for readdir command
You have 1 process hidden for ps command
repeating the command always indicates PID 15 is the problem.
I went into /proc/15. and looked at cmdline.
It shows /sbin/init^@nomce^@
>From grubbing around on the web, nomce is a string usually included in
an append line of a bootloader configuration. In my case the string actually
occurs on the append line of my /etc/lilo.conf file. The append
string was automatically built during the install (eg I didnt add it
myself).
I shut the machine down to think about things for awhile. Can any of
you suggest how I figure out what is going on, and whether I need to
worry? Apparently there are legitimate machine configurations where
chkrootkit is going to issue messages about a LKM root kit (like on a
multi-CPU machine running threading).
In this case, the machine is running a 2.4.24 kernel I built. It is a
debian install I initially performed from a KNOPPIX CD-ROM. Threading
is enabled in the kernel.
Can anybody offer me some advice?
Thanks
Phil
--
Phil Rasch, Climate Modeling Section, National Center for Atmospheric Research
Mail --> P.O. Box 3000, Boulder CO 80307
Shipping --> 1850 Table Mesa Dr, Boulder, CO 80305
email: pjr at ucar.edu, Web: http://www.cgd.ucar.edu/cms/pjr Phone:303-497-1368, FAX: 303-497-1324
More information about the LUG
mailing list