linuxnewbie1234 wrote:
> Hi there
> I am apparently struck by a *very* smart rootkit, probably a LKM. Some
> unknown process or kernel thread on our system is making a spam-network
> with some other peers. Netstat won't show that process (not even with a
> dash "-" like it is for kernel threads like NFS). "ps" probably also
> won't show it.
>
> The peer IP addresses which are contacted by the infected machine are
> recurring over time however, so there must be some running process that
> holds those IP addresses in memory.
>
> Is there a way I can use /dev/mem or /dev/kmem to scan for those IP
> addresses (double word value)? After I found it, I would need to know
> which process maps that portion of memory. (That might even be a kernel
> thread actually) Can you point me to some direction? Consider that I
> know C/C++ but I don't really know much of the linux kernel.
I'm not a security expert, but I'd strongly advise a clean (and I mean a
CLEAN!!!!) re-installation. A rootkit can very well catch any access to
/dev/kmem and hide itself. That's what makes rootkits so nasty! Maybe it
has even silently installed a virtual machine and your linux kernel is
no more running on the physical machine but on that virtual machine
which make the rootkit absolutely undetectable.
Josef
--
These are my personal views and not those of Fujitsu Technology Solutions!
Josef Möllers (Pinguinpfleger bei FTS)
If failure had no penalty success would not be a prize (T. Pratchett)
Company Details:
http://de.ts.fujitsu.com/imprint.html
FAQ
Search
Profile
Private Messages
Log in
Linux