[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] chkrootkit

Subject: Re: [cobalt-users] chkrootkit
From: Kim Schulz <kim@xxxxxxxxx>
Date: Thu Aug 21 01:50:01 2003
Organization: sslug
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

On Thu, 21 Aug 2003 07:19:21 +0200
René Mølsted <molsted@xxxxxxxxxxxx> wrote:
> Hi guys
> I just had Michael Stauber installing his security package on one of 
> our RaQ550s. When it runs chkrootkit I get this report:
> +Checking `lkm'... You have     1 process hidden for ps command
> +Warning: Possible LKM Trojan installed
> 
> Is that serious and what do I do to get rid of it?


yeah LKM(Loadable kernel modules) thats  one of the serious ones :o/
here's some reading material:

follow these discussion:
http://www.securityfocus.com/archive/119/328416
http://cert.uni-stuttgart.de/archive/forensics/2002/04/msg00019.html


and heres an explanation of what it is:
http://it.rising.com.cn/safety/safetyschool/ywyb/020129lkm.htm

and here's how to detect LKM : 
http://tf.happyhacking.net/archive/resource/lkm/lkm.htm

here's collected a bit of different info about LKM:
http://tf.happyhacking.net/archive/resource/lkm/


Best regards
Kim Schulz

References:
- [cobalt-users] chkrootkit
  - From: René Mølsted

Prev by Date: Re: [cobalt-users] chkrootkit
Next by Date: [cobalt-users] New IP Block - what the best way to add these
Previous by thread: Re: [cobalt-users] chkrootkit
Next by thread: [cobalt-users] chkrootkit

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index