Re: [cobalt-users] trojan possibly found - how do you delete them ?

["Zeffie" <cobaltlist@xxxxxxxx>]

> > Checking `lkm'... You have     1 process hidden for readdir command
> > You have     1 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> > found this at the post install run of chkrootkit for cobalt's.
> > any ideas?

it's might be nothing...

> Alot of LKM trojans (such as Suckit) will replace init with a modified
> version that inserts the trojan code upon startup. Once the trojan has
> been loaded, the system is started normally, and the trojan code hides the
> trojaned init binary. This fools RPM datbases and many of the rootkit
> detectors, because it doesn't see that the binary has changed (it is still
> looking at the original 'init' binary).

> The only real way to check for / eradicate these types of viruses is to
> remove the drive and attach it to a PC. Then, boot that PC under Knoppix
> or some other CD based recovery distribution, mount the drive and look for
> trojaned binaries.

not so.. in fact I do it all the time...  In some cases you can use that
same init bin to unhide and unload the mess which is a good start to
cleaning it up...  I have a raq3 I'm monitoring now since it got trashed...
it had like 3 hacks in on it and it was flooding, it had a sniffer running,
and everything was dying...  I just cleaned out everything and it's holding
strong...
(and I killed the php nuke that had holes... )

I have done this so many times now I have a flat rate :)

Zeffie
734-454-9117
http://www.zeffie.com/
Home of Worlds Largest collection of RaQ rpms