Hosting Provided By

RE: chkrootkit and LKM?

From: Rob Shein <shoten(at)starpower.net>
Date: Wed Jun 18 2003 - 03:47:44 EDT

This won't help if it's an LKM...LKM stands for "Linux Kernel Module," which means that it's not those binaries that are modified. Instead, an evil kernel module has probably been loaded, which provides bogus information (as well as backdoor access), but in a totally different way. An LKM rootkit is a bit trickier to find, as standard operating procedures (known good versions of ps, netstat, etc) don't work.

> -----Original Message-----
> From: Tim Greer [mailto:chatmaster@charter.net]
> Sent: Monday, June 16, 2003 10:34 PM
> To: Janus N. Tøndering; incidents@securityfocus.com
> Subject: Re: chkrootkit and LKM?
>
>
> Get a clean install/binary of top, ps, netstat, etc. and

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

Received on Wed Jun 18 11:47:24 2003

This message: [ Message body ]
Next message: Taylor, David: "RE: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log f ile...)"
Previous message: Jim Butterworth: "RE: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)"
In reply to Tim Greer: "Re: chkrootkit and LKM?"
Next in thread: Tim Greer: "Re: chkrootkit and LKM?"
Reply: Tim Greer: "Re: chkrootkit and LKM?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:09 EDT