on Thu, Feb 07, 2002 at 05:59:07PM +0000, bsamuels@beenthere-donethat.org.uk wrote:
Thanks for your suggestions.
Since sending that last email I ran chkrootkit 2-3 times over a period and it produced the lkm warning each time.
I though that I would try re-booting 'just in case' and since the re-boot chkrootkit has not displayed the lkm warning at all.
Is that indicative of anything?
Hmm, maybe there was an lkm, but any self respecting lkm will reload itself upon reboot, and it appears it did not. Have you checked /etc/rc*? Was there anything running in the background when you did a chkrootkit? Especially something that executes more programs quite regularly.
I don't think anything has been trojanned, but I'm not sure why chkrootkit keeps giving false positives. I guess it could be flaky software/hardware somewhere, or a race condition or something.
If you have been trojanned, and it's not a run of the mill thing, someone has taken more time to write it and keep it secret. This is improbable, because:
1) You are a dialup user. They are not interested in your bandwidth 2) You are security concious. This increases the level of detection, if they've spent time and effort to keep their hiding mechanism to themselves, this is an influence, because you might just come across it, or suddenly decide to unplug your box and run tct over it. 3) Afaik, the machine isn't a production or "critical" (in the business sense of the word) machine, so you can afford to take it down if necessary. 4) It is probably a personal machine. Small amounts of personal information, generally aren't of any value to your average cracker. It might be for some social engineering or getting passwords to more powerful places, but it's unlikely. There might be credit cards, but why bother with a single users machine when there's an open NFS mount on some porn site with 200k different numbers?
These are probably worth a read: http://www.cert.org/tech_tips/intruder_detection_checklist.html http://www.cert.org/tech_tips/unix_security_checklist2.0.html