You can try booting your server with knoppix ( http://www.knoppix.org ), and look for hidden files. If possible, do not allow Loadable module support , maybe this can avoid future problems with lkm. I am not sure if building a new kernel works. But if you have good results with that, tell me. Sorry about the porr English. []'s > On Monday 16 June 2003 10:59, Janus N. wrote: >> I using a RHL9 as my workstation. A few days ago I downloaded chkrootkit >> and it consistently gives the same output (>20 hidden processes) when >> checking for LKM rootkit: >> >> Checking `lkm'... You have 38 process hidden for readdir command >> Warning: Possible LKM Trojan installed >> >> This is even after reboots. How can I check if this is actually the work >> of the LKM? Or any other rootkit for that matter? > > What does "chkrootkit -x lkm" return? If anything... > > If it shows PIDs you'll want to hunt through /proc manually for those > processes. > > Cheers, -Ali > > -- > OpenPGP Key: 030E44E6 > -- > Was I helpful?: http://svcs.affero.net/rm.php?r=packetknife > -- > War is evil, but it is often the lesser evil. -- George Orwell > -- Blade Runner - Squirrel Mail Linux Powered ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jun 17 2003 - 18:40:03 PDT