Hosting Provided By

Re: LKM Trojan installed

From: Systems Administrator <sysadmin(at)sunet.com.au>
Date: Sun Feb 09 2003 - 17:54:08 EST

> On February 7, 2003 07:41 am, Rivanor P. Soares wrote:
filters
> certain processes from your viewing.

If it's an LKM trojan, they wouldn't show up in /proc, would they?

> notice extra PIDs (which you will quickly notice if you infact have 69
hidden
> processes), then you should enter their corresponding directories and
analize
> the information within, to see if the process is malicous.
one
> which isnt backdoored. Only problem with this is, once it is on your
how
> easily a kernel backdoor [LKM, kernel patch (hard or /dev/kmem)]could to
do.

The theory on this is that you need to boot off a clean filesystem (cf. Knoppix), and then use the clean boot to analyse the filesystems on the compromised box. I don't know enough to help you with analysis, though.

Thanks,

Tim Nelson
Systems Administrator
Sunet Internet

Tel:  +61 3 5241 1155
Fax: +61 3 5241 6187
Web: 
http://www.sunet.com.au/

Email: sysadmin@sunet.com.au Received on Tue Feb 11 11:17:55 2003

This message: [ Message body ]
Next message: Toby Miller: "RE: LKM Trojan installed"
Previous message: Andrew Griffiths: "Re: IPTables stops logging after long uptime"
In reply to Craig Holmes: "Re: LKM Trojan installed"
Next in thread: Robert Jaroszuk: "Re: LKM Trojan installed"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:19 EDT

Do you need help?