Date: Mon, 7 Oct 2002 16:40:55 -0400 From: Anthony Schneider <anthony@x-anthony.com> To: Riley <rileyjmc@pacbell.net> Cc: FreeBSD Security <freebsd-security@FreeBSD.ORG> Subject: Re: chkrootkit help Message-ID: <20021007204055.GA65040@x-anthony.com> In-Reply-To: <HEEELMCBPANKADCOBOFPKEPCGPAA.rileyjmc@pacbell.net> References: <HEEELMCBPANKADCOBOFPKEPCGPAA.rileyjmc@pacbell.net>
next in thread | previous in thread | raw e-mail | index | archive | help
If you've been nailed by a rootkit, you should not trust netstat, ifconfig, ps, etc anymore. Bring in the binaries from another similar system, because rootkits will generally have replacements which supress the output that they don't want you to see (like open ports, promiscuous mode, etc., although promiscuous mode i believe can be overcome by simply writing over a small chunk of kernel memory whilst leaving the interface still promiscuous). you might also try portscanning the machine. and then, after you check these things out, i suggest you do a reinstall. good luck. -Anthony. On Mon, Oct 07, 2002 at 11:47:15AM -0700, Riley wrote: > Hi all, > > (Let me know if this belongs in -questions) > > I could sure use some help interpreting this. A 4.6.2-RELEASE-p2 system > (running bind 8.3.3-REL and sendmail 8.12.3) started getting syslog messages > like: > > /kernel: file: table is full > > along with related messages, then a core dump. (syslog for this date is > below.) > > I took this as a side effect of a recent spamassassin install/upgrade (2.41) > and increased kern.maxfiles to 8192 and max.vnodes to 16384. As the system > started to recover for fun I ran chkrootkit which came back with this: > > Checking `bindshell'... INFECTED (PORTS: 114) > > A few minutes later and ever since chkrootkit returns: > > Checking `bindshell'... not infected > > netstat -an doesn't show anything on 114 and nothing unusual. > > The system is on a dmz with ports 25, 53 and 110 mapped through. Running > chkrootkit on the firewall reported this: > > Checking `bindshell'... not infected > Checking `lkm'... not tested: can't exec ./chkproc > Checking `rexedcs'... not found > Checking `sniffer'... > xl0 is not promisc > xl2 is not promisc > > I'm not sure what to think about "can't exec ./chkproc". Also the xl1 > interface is not reported in the output and is the dmz interface that the > above machine is on. ifconfig shows: > > xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet 10.100.100.1 netmask 0xffffff00 broadcast 10.100.100.255 > inet6 fe80::260:8ff:fe31:e4b0%xl1 prefixlen 64 scopeid 0x2 > ether 00:60:08:31:e4:b0 > media: Ethernet autoselect (10baseT/UTP) > status: active > > Any comments would be greatly appreciated. > > Thanks, > > Riley > > > "That which does not kill us makes us stranger." > --Kimchi > > > Oct 7 03:13:56 aji sendmail[91248]: g97A2rnm091248: SYSERR(root): collect: > I/O error on connection from [203.48.40.139], from=<News@ineedhits.com> > Oct 7 08:45:13 aji /kernel: file: table is full > Oct 7 08:45:14 aji last message repeated 38 times > Oct 7 08:46:27 aji last message repeated 35 times > Oct 7 09:14:05 aji sendmail[93085]: g97G8Xnm093085: SYSERR(root): collect: > I/O error on connection from adsl-63-rev-addr, > from=<root@someotherserver.dom> > Oct 7 09:22:17 aji /kernel: file: table is full > Oct 7 09:22:20 aji last message repeated 17 times > Oct 7 09:23:21 aji last message repeated 16 times > Oct 7 09:23:23 aji sendmail[93320]: g97GEKpG093112: SYSERR(UID0): > <local@email.addr>... openmailer(local): pipe (to mailer): Too many open > files in system > Oct 7 09:23:25 aji sendmail[93112]: g97GEKpI093112: SYSERR(root): Cannot > open hash database /etc/mail/aliases.db: Too many open files in system > Oct 7 09:23:22 aji inetd[93322]: /etc/spwd.db: Too many open files in > system > Oct 7 09:23:28 aji inetd[93322]: pop3/tcp: root: no such user > Oct 7 09:25:42 aji /kernel: file: table is full > Oct 7 09:25:43 aji last message repeated 4 times > Oct 7 09:29:58 aji /kernel: file: table is full > Oct 7 09:30:44 aji last message repeated 107 times > Oct 7 09:30:53 aji /kernel: pid 93340 (cron), uid 0: exited on signal 11 > (core > dumped) > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021007204055.GA65040>