[Cialug] Rootkit?

Nathan Stien nathanism at gmail.com
Thu Jan 31 21:43:44 CST 2008 

On Jan 31, 2008 9:21 PM, Josh More <morej at alliancetechnologies.net> wrote:
> This client doesn't do inline comments very well (sorry, I don't like it
> either), so here are my responses to Nathan:
>
> 1) See http://www.chkrootkit.org/faq/#5 for using chkrootkit with the -r
> and -p options.

Neat, will do.

> 3) Nessus is a vulnerability scanner with a lot more history than nmap
> (nmap is just now turning into a vuln scanner).  It's a bit of a pain to
> set up, but it is very powerful.

Yeah, I never got past the "pain to set up" part, hence my question. ;-)

> However, after reading what happened in this thread after my first post,
> I suspect that you have a network process running amok.  Boot into level
> 1 emergency mode and see if the problem still occurs there.  Then bring
> up your services one at a time and see when you start to see the
> problem.  (I suspect samba ;)

I booted into runlevel 1, and htop showed that one of my cores was
pegging at 100% in kernel mode, but no particular process or listed
kernel thread was doing it.  At this point, there was no network.  And
my network usually doesn't come on until after I've logged into KDE,
since that's when knetworkmanager can get into my kwallet to tell
NetworkManager what my WPA2 key is.

> A quicker test would be to go straight to init 3 and see if it's there.
> Then go to init 5.  If it's in init 5 but not 3, odds are that it's
> something that X/gnome/KDE/etc is doing.  Try a basic window manager and
> see if goes away (you may need to reboot first).

After rebooting to various runlevels, it now seems to be using only
about 50% of one of my cores.  It seems kind of random, but there
always seems to be some significant amount of utilization on at least
one core that cannot be accounted for by listed processes.

> "netstat -atunp" may give you clues... but if you *are* hacked, you
> cannot trust its output (nor that of the dependencies of chkrootkit and
> rkhunter, which is why you need to use a boot disk).

I realize that you can't trust an in-system rootkit detector if you're
compromised.  I ran rkhunter and chkrootkit anyway, just in case it
was amateur hour.  I'll just have to get a boot disk together
tomorrow.  But now it's too close to bedtime to start messing with
that.

Thanks to all you guys with the advice.

- Nathan

More information about the Cialug mailing list