[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LKM Trojan

To: silug-discuss@silug.org
Subject: Re: LKM Trojan
From: "L. V. Lammert" <lvl@omnitec.net>
Date: Tue, 15 Jun 2004 10:26:18 -0500
In-Reply-To: <061520041505.15890.6b51@mchsi.com>
Organization: Southern Illinois Linux Users Group
Reply-To: silug-discuss@silug.org
Sender: silug-discuss-owner@silug.org

At 10:05 AM 6/15/2004, you wrote:
>While exploring the workings of my OS weekend before last, I managed to break
>Shorewall (Shoreline Firewall) and I surfed unprotected for a couple of daze
>before I was able to fix it.  I ran chkrootkit this last weekend, which 
>reported
>that I had four hidden processes and might have picked up the LKM trojan.  For
>lack of a better plan, I reformatted my root partition and rebuilt from the
>ground up.  :-(

Once you have identified 'unknown' processes, it's fairly simple to kill 
them and remove/rename the executables (normally specified in the process, 
or you might have to search for same).

>What, in plain English, is a trojan?

A Trojan is a running program/process that contains code that interacts 
with external machines. Thousands of different applications, both malicious 
and innocuous - e.g. keystroke monitoring (possibly malicious, unless 
you're monitoring your kids), web site visit recording (sort of like an 
'automatic' cookie, reporting to an external system), .. don't really allow 
or deal with them, but I'm sure others can supply more possibilities.

>Was there a simpler alternative than wiping the drive and rebuilding?

Sure - identify the code, stop, chmod -x and/or rename (as opposed to 
delete, just in case it IS required for some functionality - you can always 
delete it later).

>Am I correct in assuming that wiping / was sufficient and that was no 
>danger in
>retaining /home?

Nope. Malicious code can 'live' anywhere. /home, /usr, /var, .. anywhere a 
program can execute.

>I'm starting to wonder if purchasing a firewall applicance might be a good 
>idea.

Probably not. Most firewalls are not 'application' level devices, which 
would be required to stop many trojans. They can restrict a number of 
attacks, but, by definition, must leave open ports for public services 
(e.g. the ubiquitious port 80).

A firewall is only ONE component of a security policy - a secure OS is just 
as critical.

         Lee

============================================
    Leland V. Lammert                                lvl@omnitec.net
       Chief Scientist                         Omnitec Corporation
   Network/Internet Consultants              www.omnitec.net
============================================

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

Follow-Ups:
- Re: LKM Trojan
  - From: bja@Illinois.DynDNS.Org

References:
- LKM Trojan
  - From: hcrouch@mchsi.com

Prev by Date: LKM Trojan
Next by Date: Re: OT:Motels for LPI Testing
Prev by thread: LKM Trojan
Next by thread: Re: LKM Trojan
Index(es):
- Date
- Thread