On Fri, Apr 07, 2006 at 05:20:24PM +0200, Brent Clark wrote: > Csanyi Pal wrote: > > > >Tiger automatic auditor at debian-csp citation: > >---------------> > ># Running chkrootkit (/usr/sbin/chkrootkit) to perform further > >checks... > >NEW: --WARN-- [rootkit004w] Chkrootkit has detected a possible rootkit > >+installation > >NEW: Warning: Possible LKM Trojan installed > >---------------< > > > >What can I do now to check is it installed truly the LKM Trojan? > > Is this a webserver, if so, look in the /var/tmp and tmp look for binarys / > tar.gz files etc (anything that looks out the ordinary). > Generally the user and group of the file will be of the webserver.
On this machine I installed apache 1.3.33 . I looked in the /var/tmp and tmp and look for the binaries that looks out the ordinary but nothing finded. > And if this machine is 24/7 on the net. No, it isn't 24/7 on the net. > May I suggest whatever plans you had for the weekend, cancel them and take > that machine off the net. > > Better start tightening your services up etc. > > For apache (dont forget to tighten the conf) use nikto to help to scan test > vulnerabilities. I have now installed nikto. I run nikto and get some messages but nothing serious. > For ssh, maybe add a line in the conf file like Allowusers for a start. > > Oh and check you logs. Nothing serious find. > Other than that best of luck. Thanks! > HTH > > Kind Regards > Brent Clark > > P.s. It may help to mention what services you are running or what this > machine is used for. I use on this machine the Window Maker Desktop environment. -- Regards, Csányi Paul http://www.ektf.hu/~Csanyi.Pal (Up to now, it is in Hungarian only.) http://csanyipal.info/moodle <<<--- Moodle - Course Management System http://csanyipal.info:81 <<<--- sTeam - Cooperative Learning -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
