Weird Network Manager Problem (Updated)
James McKenzie
jjmckenzie51 at earthlink.net
Sun Sep 26 03:38:36 UTC 2010
On 9/25/10 8:34 PM, Mike Dwiggins wrote:
> On 9/25/2010 8:28 PM, JD wrote:
>> On 09/25/2010 07:14 PM, Mike Dwiggins wrote:
>>> JB,
>>>
>>> I figured you or someone else might like to know this. I killed the dhc
>>> process and cleaned up the .conf files did a restart on Network Manage
>>> and everything worked!
>>>
>>> Ran chkrootkit and it hit on netstat as Infected (imagine that). It
>>> also reported a possible LKM Trojan intrusion. I then ran rkhunter and
>>> it threw warnings on the following files:
>>> /bin/netstat
>>> /bin/ps
>>> /usr/bin/top
>>> /usr/bin/lsof
>>>
>>> It also reported undocumented password change and group file changes.
>>>
>>> Password I could see with me going through Webmin to reset the root
>>> password but, I was careful to change nothing else much less groups!
>>>
>>> I rebooted and the problem was back just as before!
>>>
>>> With that I threw up my hands and have WipeDrive going on the drives in
>>> DoD mode!
>>>
>>> Hope this might help someone!
>>>
>>> Again thanks for the help!
>>>
>> chkrootkit found this, but I have no idea where the process is:
>>
>> Checking `lkm'... You have 1 process hidden for readdir command
>> You have 1 process hidden for ps command
>> chkproc: Warning: Possible LKM Trojan installed
>>
>>
>> So, if it will not tell me which process it is, how can I find it?
>>
> Beats me, this is where it gets above my head! I had enough problems
> with it I just went Scorched Earth. There should be a lesser way but, I
> am not that good and admit it!
>
Usually, at this time, it time to hope you backed up your system before
you were rooted and blow everything away and start over. Also a good
time to upgrade to the latest version of whatever OS you are using.
James McKenzie
More information about the users
mailing list