[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LKM Trojan



A couple notes from a similiar experience I had while recovering a
friend's machine from an attack (the probelm was he stopped patching his
system).

First, keep backups. Weekly backups of user data and a backup of critical
configuration files in /etc, /usr/local/etc, and anywhere else your
distro/flavor happen to keep them is really needed. I normally backup all
*.swx, *.txt, *.py, *.html, and *.css files because this is what I use. I
tar up all of these, and burn them to cd. It takes 5 minutes and makes
life much easier in the longrun (something WILL happen).

If you have your user data and config files backed up, there isn't much
stopping you from wiping and reinstalling any time you feel like it if
you're using the machine as a workstation. On a server, you'll want to
make sure to backup any databases and content as well (you should be doing
it already).

Second, explore the options to your filesystems. Certain filesystems, /,
for example, can be mounted ro (read-only) with little effort. /var and
/tmp are probably separate filesystems anyway. All linux filesystems that
I know of support the noexec option. Adding this on /home is a very good
way, basic way to keep exectuable files out of your /home. This won't stop
scripts from being ran, but it would stop anything stored in your home
directory from being ran by itself. These options can be given to mount
when you are mounting the fs and in a field in /etc/fstab. Check the mount
manpage for more info.

Third, is revert to a trusted kernel and modules at least. A trusted
kernel would be something from your vendor, or from a read-only backup.

If you are backed up, wiping and reinstalling is probably the easiest
thing to do. With backups, you select your packages, start into the
system, load your old config files and data and you're running. This can
be an hour process. The flip side is, you're back to the state you were in
before the attack which means that you are still vulnerable.

I would deny all incomming ip traffic, setup outgoing traffic in a
stateful manner, and update immediately.

With the latest advancements in the linux kernel, I would not trust a
kernel or modules that existed during a breakin. The selinux hooks are a
rootkit author's dream, and I expect that these will become very common as
2.6 is deployed on more systems.

> At 10:05 AM 6/15/2004, you wrote:
>>While exploring the workings of my OS weekend before last, I managed to
>> break
>>Shorewall (Shoreline Firewall) and I surfed unprotected for a couple of
>> daze
>>before I was able to fix it.  I ran chkrootkit this last weekend, which
reported
>>that I had four hidden processes and might have picked up the LKM
trojan.
>>  For
>>lack of a better plan, I reformatted my root partition and rebuilt from
>> the
>>ground up.  :-(
>
> Once you have identified 'unknown' processes, it's fairly simple to kill
them and remove/rename the executables (normally specified in the
process,
> or you might have to search for same).
>
>>What, in plain English, is a trojan?
>
> A Trojan is a running program/process that contains code that interacts
with external machines. Thousands of different applications, both
malicious
> and innocuous - e.g. keystroke monitoring (possibly malicious, unless
you're monitoring your kids), web site visit recording (sort of like an
'automatic' cookie, reporting to an external system), .. don't really
allow
> or deal with them, but I'm sure others can supply more possibilities.
>
>>Was there a simpler alternative than wiping the drive and rebuilding?
>
> Sure - identify the code, stop, chmod -x and/or rename (as opposed to
delete, just in case it IS required for some functionality - you can
always
> delete it later).
>
>>Am I correct in assuming that wiping / was sufficient and that was no
danger in
>>retaining /home?
>
> Nope. Malicious code can 'live' anywhere. /home, /usr, /var, .. anywhere
a
> program can execute.
>
>>I'm starting to wonder if purchasing a firewall applicance might be a
>> good
>>idea.
>
> Probably not. Most firewalls are not 'application' level devices, which
would be required to stop many trojans. They can restrict a number of
attacks, but, by definition, must leave open ports for public services
(e.g. the ubiquitious port 80).
>
> A firewall is only ONE component of a security policy - a secure OS is just
> as critical.
>
>          Lee
>
> ============================================
>     Leland V. Lammert                                lvl@omnitec.net
>        Chief Scientist                         Omnitec Corporation
>    Network/Internet Consultants              www.omnitec.net
> ============================================
>
>
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.
>




-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.