store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sun Nov 23, 2014 11:32 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: panic time!
Unread postPosted: Sat Feb 03, 2007 11:11 pm 
Offline
Forum Regular
Forum Regular

Joined: Sun Jun 04, 2006 10:03 am
Posts: 122
WTH! chrootkit in todays email brings out this:

Checking `lkm'... You have 1 process hidden for readdir command
You have 2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed

I panic and run it again from the shell(brings nothing)
I got to the other version I have stacked in the box somewhere and this is the output:
PID 18587(/proc/18587): not in readdir output
PID 18587: not in ps output
CWD 18587:
EXE 18587:
PID 28938(/proc/28938): not in readdir output
PID 28938: not in ps output
CWD 28938: /usr/X11R6/man/man4
EXE 28938: /bin/bash
You have 2 process hidden for readdir command
You have 2 process hidden for ps command

some times the processes will be 1 or 2 the processes I saw where zcat iconv gawk and of course bash

rkhunter did not bring out any warnings
netsat had nothing to show
i strobed the box from home and showed no ports open than the usual
eth0 is not on promisc and i am going crazy

logwatch showed this also
Feb 4 04:05:55 www userhelper[7493]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'

the net admin i called in the data center said that there is no extensive activity on the network and that the IDS did not pick up anything suspicius

11bb5675a525a4675ae8d6e4f8365483 /bin/bash
GNU bash, version 3.00.15(1)-release (i686-redhat-linux-gnu)

be8db83707c12f42d4b3f4efd74656be /bin/ps
procps version 3.2.3

i dont know what else to provide!

AM I OWNED OR NOT??
HELP!

System: Centos 4.x current
plesk 8.0.1 latest
ASL kernel patches


Top
 Profile  
 
 Post subject:
Unread postPosted: Sun Feb 04, 2007 12:32 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7956
Location: earth
chkrootkit will come up with that hidden process message frequently as a false positive. It has to do with the way certain daemons, like mysql for example, run. So first start by shutting down every service on the system, or if you can get to the local console drop it into runlevel 1. Then run chkrootkit again, to see if you have any hidden processes. If you dont, then start mysql, and run again. If you do, then you've got your culprit.


Top
 Profile  
 
 Post subject:
Unread postPosted: Sun Feb 04, 2007 12:47 pm 
Offline
Forum Regular
Forum Regular

Joined: Sun Jun 04, 2006 10:03 am
Posts: 122
I dont have a remote serial console to do that unfortunately I did google it and I saw the case u refer to i cant see any more hidden procs at the time and I did download the latest chrootkit compiled it and checked again with no results
would you recommend that I tell a local admin to check that for me under single user moode and with all the services stoped?

Thank you


Top
 Profile  
 
 Post subject:
Unread postPosted: Mon Feb 05, 2007 11:05 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7956
Location: earth
thats the ideal condition yes, but if you cant then just shut down all the daemons you can and rerun chkrootkit.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group