Re: Hacked or not ?
On Saturday, 2004-06-12 at 13:15:33 +0200, Peter Rosa wrote:
> please advice me - I was on holidays for one week. After return I found in
> security mails from router (chkrootkit) following message:
> Checking `lkm'... You have 1 process hidden for readdir command
> You have 1 process hidden for ps command
> Warning: Possible LKM Trojan installed
> It apeared only onece. From previous and next days reports, the message is
> not present.
This is an artifact. chkrootkit uses two methods to look at the running
processes - ps and /proc. When a process terminates between the two
runs, you will get this. I see it at irregular intervals on all my
machines that run chkrootkit.
But if your machine is critical, running chkrootkit once daily is not
enough. This gives a cracker too much time to nest in. Run it at least
every hour.
Are you running an integrity checker like AIDE, Tripwire, etc?
> How could I be sure, the machine is not hacked ?
You can't. Not in general. chkrootkit goes only so far. Always assume
the worst. But don't panick.
HTH,
Lupe Christoph
PS: Flames that this is not a security help mailing list to /dev/null,
please. If you want to flame me, put the energy into creating a
freebsd-security-help mailing list instead.
--
| lupe@lupe-christoph.de | http://www.lupe-christoph.de/ |
| "... putting a mail server on the Internet without filtering is like |
| covering yourself with barbecue sauce and breaking into the Charity |
| Home for Badgers with Rabies. Michael Lucas |
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 12 之 17 篇):