[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] trojan possibly found - how do you delete them ?
- Subject: Re: [cobalt-users] trojan possibly found - how do you delete them ?
- From: Greg Boehnlein <damin@xxxxxxxx>
- Date: Sun Oct 26 10:29:01 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
On Sun, 26 Oct 2003, Ted wrote:
> Checking `lkm'... You have 1 process hidden for readdir command
> You have 1 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> found this at the post install run of chkrootkit for cobalt's.
> any ideas?
Alot of LKM trojans (such as Suckit) will replace init with a modified
version that inserts the trojan code upon startup. Once the trojan has
been loaded, the system is started normally, and the trojan code hides the
trojaned init binary. This fools RPM datbases and many of the rootkit
detectors, because it doesn't see that the binary has changed (it is still
looking at the original 'init' binary).
The only real way to check for / eradicate these types of viruses is to
remove the drive and attach it to a PC. Then, boot that PC under Knoppix
or some other CD based recovery distribution, mount the drive and look for
trojaned binaries.
--
Vice President of N2Net, a New Age Consulting Service, Inc. Company
http://www.n2net.net Where everything clicks into place!
KP-216-121-ST