LKM trojan? and large .xsession-errors

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Probably not the first person to ask this, but any ideas on how best to
check for an LKM trojan - having already taken the gut reaction of force
reinstalling procps and wiping ~/.xsession-errors? A quick look in
.xsession-errors showed xsession errors rather than anything dodgy, and
it's not been truncated for a long time. It had grown to about 4G and was
taking a lot of space. That file may be just a red herring.

What got me wondering was a chkrootkit report that a process was being
hidden from ps. I've seen that before with latest kernels and a ps command
that didn't keep up with them, but to be sure I reinstalled the procps
package and ran chkrootkit again to find nothing reported. Could it have
been odd chance? What type of process did the old procps fail to pick up?
Was it system processes that shouldn't by chance go away between
chkrootkit runs, or threads or something that can?

The system is on 24/7 and runs Apache2, Apache-ssl and Exim4. Apache2 has
no CGI support enabled. Apache-ssl does, but has password protection over
the entire server to knock out random scans. Exim4 is pretty default,
non-relaying. Logs on them all are pretty boring. The obvious automated
hack attacks on Apache get 404 or 414 results for Not Found and That
Input Was Too Big. The whole thing now sits behind a Netgear firewall
appliance, but that's a new feature.

So - where do I look next to see if there's any evidence of compromise?


 - Richard

Re: LKM trojan? and large .xsession-errors

Thinking about it cycling in to work this morning - I may have hit the
chkrootkit race condition: . Good to
be paranoid though.

 - Richard

Site Timeline