I found warlkm on one of my servers in a /home/users directory.

Is is safe to rm -rf

The reason I ask is because one of the files mentioned that it changes one of the kernels files and there is no point of return. A crash is more likely.


If you don't know what warlkm is, please don't ask.


Oh, and I also found something else. You know you get
p # user user s d f
I found a 10667
I can't rm. It says write protected. I need to get rid of it.

The write protected file needs to have the following command run on it before you can delete it.

chattr -i <file name>

For more info on chattr and the 'i' attribute, lookup the manpage on chattr...

Hope that helps.. :)

Thanks, I'll give it a bash. The program I'm trying to delete is w00t (nope, not the game). Ever heard of it?

I'm just worried about warlkm now :(

:bawling:

With regards to w00t. I did a chattr and then when I tried to rm, I got "cannot unlink. permission denied"

Can you think of anything else?

That should have removed the attribute.

Hrmmm.... that's a mind boggler... :(

I may be completely off here since I have little experience in kernel hacks and root exploits... I'm learning about LKM right now.

How did you find warlkm? Did you use kstat? Is warlkm actually running?

Have any of your system calls been compromised? There might be some things/proggys you can't detect anymore or some that do not work as they used to. Perhaps that's why you can't rm that file...?

Are you the only root at the moment or perhaps.... :bawling:

Ales

.slash

I saw your post and assumed it's some kind of a hack attempt so I searched arround to find more about it. You see, my company is just starting to venture into the dedicated server's world so I'm doing my homework...

I didn't find much about warlkm, just about other LKM exploits. The program I was talking about, kstat, is supposed to discover wheather LKM exploits are running or not.

The problem is that LKMs are running in kernel space, not user/root space. If they are used "properly", the hacker can compromise your "system calls". Meaning: you do a ls and it doesn't show you all the files anymore. Same with top, etc. *Anything* that does system calls to kernel can be compromised.

There is no way you can find out about it because all the programs (ls, top,...) are still the same, same size, same dates, they are not changed in any way. The conection to kernel and what action is being done is compromised. So the warlkm might be still running on your machine as we speak...

But there are these proggys, kstat and ksec, that can unmask running LKMs or address other issues with kernels recompiled by hackers. Apparently they can also trace all the changes to system calls...

Take a look here:

http://www.s0ftpj.org/en/tools.html

If you do a search on lkm, kernel hacking, etc., you will also find articles about the stuff. What I told you is just a quick summary...

Hope your server will be rescued...

Ales

Thanks. This lkm stuff is really interesting. It's a pitty it causes so much damage though :mad:

:confused:

http://www.multimania.com/spacewalker/projects/lkm.fr.txt

Anybody know what this says? Does this tell you how to uninstall warlkm? (Notice the script halfway down the page)