Results 1 to 4 of 4

Thread: Possible root kit

  1. #1

    Possible root kit

    I was just running my rootkit checker like i usually do, and this came up:

    Checking `lkm'... You have 12 process hidden for ps command
    Warning: Possible LKM Trojan installed

    Ive run it a few times now, and the number of processes change, ive also had 5 and 9
    So, how do i work out exactly what it is and how do i get rid of it?

    Redhat 8.0, kernel 2.4.18-14


  2. #2

    Re:Possible root kit

    its ok, i upgraded to the latest version of chkrootkit ( and all is well. it appeared to be somehting to do with the tools psyche was compiled with

  3. #3

    Re:Possible root kit

    Quote Originally Posted by alastair
    kernel 2.4.18-14
    Why are you running a kernel that has been updated for security reasons? ???

    Jim H

  4. #4

    Re:Possible root kit

    If you're worried at all about LKM rootkits you could always disable LKM support, the next time you compile a kernel. Having drivers built into the kernel is faster anyway.

    As long as all your hardware is supported during the kernel configuration it won't be a problem. If there ever comes a time that you get something unsupported, you can recompile.

    I'm going to be writing a kernel module that detects when kernel modules are inserted, and emails me. (or something similar). This way, even if someone inserts a hidden LKM, I'll know it was inserted. Fun fun.

    chkrootkit isn't the most reliable program for rootkits either. (although it's still good to run on a regular basis) Considering there are a fair amount of people out there that are constantly building custom rootkits, I wouldn't rely on chkrootkit to find them all, especially since, afaik, it uses signatures from mostly public rootkits only.

    Your best bet is to implement some inbetween (like the LKM I want to write), or an IDS.

Similar Threads

  1. Running as Root
    By vvx in forum Linux - Software, Applications & Programming
    Replies: 10
    Last Post: 02-15-2004, 11:03 PM
  2. Athene & root
    By mojo jojo in forum Linux - Software, Applications & Programming
    Replies: 2
    Last Post: 09-20-2003, 10:48 PM
  3. How do I log in as root?
    By dragon5 in forum Suse
    Replies: 7
    Last Post: 09-02-2002, 07:49 AM
  4. How to open GUI app. as root?
    By Phaete in forum Linux - Software, Applications & Programming
    Replies: 9
    Last Post: 07-20-2002, 05:44 PM
  5. Root vs su?
    By LearninLinux in forum Linux - General Topics
    Replies: 6
    Last Post: 05-03-2002, 11:36 AM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts