On Thursday 09 September 2004 07:21, Jason Rusch wrote:
> Sorry if this is not the correct forum,
Boot with a CD rescue disk, mount the suspect / and
ls -alR /{mount point}/lib
Compare what you see to the same listing (ls -alR /lib)
in noramal running and IF you see some nasty goodies,
congraduations; you are owned.
No known (by me) scanner, intrusion detector can find it. You have
to look first hand using a clean (rescue) running system.
MM
>
> Curious a day or so after a up2date on a fedora 2 system, I noticed very
> sluggish behavior. After checking obvious things such as netstat, du,
> nmaping it from another machine and checking ps commands thoroughly I found
> nothing abnormal. I then moved onto running a few rootkit scanners, all
> showed cleaned (for what its worth of course), I used both the tarball and
> rpm chkrootkit and scanned my machine with both.
>
> The strange part is, is that the one ran from source showed everything to
> be ok, the rpm showed 23-35 hidden processes, possible LKM rootkit
> installed. now after running the cmd " /usr/lib/chkrootkit-0.43/chkproc -v"
> I found the processes within the /proc and checked the status/info on all.
> they were all sleeping process from application I run all the time
> (evolution, mozilla, nautilus ). I booted the machine in init3 and without
> X and I didnt have this problem.
>
> The machine normally boots in init5, now if I start X then the problem
> arises, now I dont know if this is the right forum, but I would not think
> that I am rooted (optimistically said) and this is some weird iissue from
> an update. 1 more note all the hidden processes were owned and ran under
> my user account. Any input from anyone would be great. and no I didnt get
> Tripwire installed or record a MD5sum record ooopps
>
> anyway just a day or so ago I read somewhere there may be a latency time
> diff. between the threads that are running and the chrootkit detection thus
> causing the discrepancy?
> Sorry if this is not the correct forum,
Boot with a CD rescue disk, mount the suspect / and
ls -alR /{mount point}/lib
Compare what you see to the same listing (ls -alR /lib)
in noramal running and IF you see some nasty goodies,
congraduations; you are owned.
No known (by me) scanner, intrusion detector can find it. You have
to look first hand using a clean (rescue) running system.
MM
>
> Curious a day or so after a up2date on a fedora 2 system, I noticed very
> sluggish behavior. After checking obvious things such as netstat, du,
> nmaping it from another machine and checking ps commands thoroughly I found
> nothing abnormal. I then moved onto running a few rootkit scanners, all
> showed cleaned (for what its worth of course), I used both the tarball and
> rpm chkrootkit and scanned my machine with both.
>
> The strange part is, is that the one ran from source showed everything to
> be ok, the rpm showed 23-35 hidden processes, possible LKM rootkit
> installed. now after running the cmd " /usr/lib/chkrootkit-0.43/chkproc -v"
> I found the processes within the /proc and checked the status/info on all.
> they were all sleeping process from application I run all the time
> (evolution, mozilla, nautilus ). I booted the machine in init3 and without
> X and I didnt have this problem.
>
> The machine normally boots in init5, now if I start X then the problem
> arises, now I dont know if this is the right forum, but I would not think
> that I am rooted (optimistically said) and this is some weird iissue from
> an update. 1 more note all the hidden processes were owned and ran under
> my user account. Any input from anyone would be great. and no I didnt get
> Tripwire installed or record a MD5sum record ooopps
>
> anyway just a day or so ago I read somewhere there may be a latency time
> diff. between the threads that are running and the chrootkit detection thus
> causing the discrepancy?
[ reply ]