lkm trojan

[@(none)]

Hi,

further to my 4 hidden processes, "ps" finds exactly 4 processes with 
PID # 0!
See the scriptfile below.
I later found out that "top" numbers these processes as 3,4,5 & 6, same 
sequence.
The names of the processes

I find this hard to understand:

Does LKM trojan and the 0's mean that these 4 are sabotaged Loadable 
Kernel Modules?
Can I just compare/recopy these?
I do have another healthy Sarge system, both with kernel 2.4.22.
Or will the (LKM)trojan then recopy it's own version later?

Or/and does hidden from ps mean, that /usr/bin/ps has been doctored?
And should I compare/recopy this one?
The last process nevertheless claims to be my ps aux command itself.
All Kretenzers lie, said the Kretenzer ;-).
Or perhaps this is all a rather innocent bug in "ps".

Could the intrusion be that XMMS launched a naughty .mp3? That I 
downloaded myself.
Even though XMMS does not run as root?

In the meantime I reinstalled one compromised PC, but kept this one for 
learning,
ran bastille, improved my password habits, turned off WAN ping replies 
from my router,
am turning off this hardware router when not using internet (24/7 on 
before),
installed sxid, temporarily tried out some other anti intrusion packages 
you-all
recommended (thanks) and deinstalled anything "server" that I can do 
without.
Anyway, since Feb 1 no new (log?)deletion(s). Of which there were 
several before.

If I need to reinstall I might try out kernel 2.6 first.
That even may shake out malignant modules. Two birds with one stone ;-).
Any more advice or comment?

mvg Boudewijn

Script started on za 07 feb 2004 08:08:07 CET
[EMAIL PROTECTED]:~$ su
Password:
[EMAIL PROTECTED]:/home/ijbd# chkrootkit -q
/usr/lib/nessus/plugins/.desc
/usr/lib/nessus/plugins/.desc
You have     4 process hidden for ps command
Warning: Possible LKM Trojan installed
1 deletion(s) between Sun Feb  1 19:22:59 2004 and Sun Feb  1 20:21:54 2004
[EMAIL PROTECTED]:/home/ijbd# ps aux
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  0.1  0.0    76   76 ?        S    06:47   0:08 init [5]
root         2  0.0  0.0     0    0 ?        SW   06:47   0:00 [keventd]
root         0  0.0  0.0     0    0 ?        SWN  06:47   0:00 
[ksoftirqd_CPU0]
root         0  0.0  0.0     0    0 ?        SW   06:47   0:00 [kswapd]
root         0  0.0  0.0     0    0 ?        SW   06:47   0:00 [bdflush]
root         0  0.0  0.0     0    0 ?        SW   06:47   0:00 [kupdated]
root         8  0.0  0.0     0    0 ?        SW   06:47   0:00 [kreiserfsd]
root        71  0.0  0.0     0    0 ?        SW   06:48   0:00 [kapmd]
root        75  0.0  0.0     0    0 ?        SW   06:48   0:00 [khubd]
root       263  0.0  0.1  1728  752 ?        S    06:48   0:00 pump -i eth0
root       265  0.0  0.0     0    0 ?        SW   06:48   0:00 [eth0]
daemon     269  0.0  0.1  1708  604 ?        S    06:48   0:00 /sbin/portmap

etc, etc,,,,,,,,,,

root      7286  0.0  0.1  2472  820 pts/1    R    08:09   0:00 ps aux
[EMAIL PROTECTED]:/home/ijbd# exit
[EMAIL PROTECTED]:~$
Script done on za 07 feb 2004 08:09:12 CET


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]