Date: Mon, 7 Oct 2002 13:33:04 -0700 (PDT) From: Mike Hoskins <mike@adept.org> To: Riley <rileyjmc@pacbell.net> Cc: FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: chkrootkit help Message-ID: <20021007131203.L83742-100000@fubar.adept.org> In-Reply-To: <HEEELMCBPANKADCOBOFPKEPCGPAA.rileyjmc@pacbell.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 7 Oct 2002, Riley wrote:
> I could sure use some help interpreting this. A 4.6.2-RELEASE-p2 system
> (running bind 8.3.3-REL and sendmail 8.12.3) started getting syslog messages
> like:
I haven't kept up with Sendmail since Postfix made its debut, but I don't
believe there's anything wrong with BIND 8.3.3 (yet).
> /kernel: file: table is full
If you haven't tuned this server already, this could be quite common and
mundane.
> I took this as a side effect of a recent spamassassin install/upgrade (2.41)
> and increased kern.maxfiles to 8192 and max.vnodes to 16384.
I'm not sure how busy this machine is (sounds like it's a firewall and
mailserver+antivirus), but I set the following in /boot/loader.conf on my
busier servers:
kern.maxusers=256
kern.ipc.nmbclusters=16384
This is a machine with 1GB of RAM. This results in the following sysctl
values:
kern.maxfiles: 8232
kern.maxfilesperproc: 7408
kern.maxvnodes: 68387
Note "maxfilesperproc". That may be important to you.
> Checking `bindshell'... INFECTED (PORTS: 114)
> netstat -an doesn't show anything on 114 and nothing unusual.
> I'm not sure what to think about "can't exec ./chkproc".
First, from chkrootkit.org:
Q. Which commands does chkrootkit use?
A. The following commands are used by the chkrootkit script:
awk, cut, echo, egrep, find, head, id, ls, netstat, ps, strings,
sed, uname
If you suspect you've been compromised... It would be best not to trust
those system binaries. Read the documentation/webpage and make sure
you're using a safe set of binaries to check your system.
From the docs, chkproc seems to be /proc intensive. The port's Makefile
does not mention chkproc:
do-install:
${INSTALL_SCRIPT} ${WRKSRC}/chkrootkit ${PREFIX}/sbin
${INSTALL_PROGRAM} ${WRKSRC}/chklastlog ${PREFIX}/sbin
${INSTALL_PROGRAM} ${WRKSRC}/chkwtmp ${PREFIX}/sbin
${INSTALL_PROGRAM} ${WRKSRC}/ifpromisc ${PREFIX}/sbin
.if !defined(NOPORTDOCS)
@${MKDIR} ${PREFIX}/share/doc/chkrootkit
${INSTALL_DATA} ${DOCFILES:C,^,${WRKSRC}/,} ${PREFIX}/share/doc/chkrootkit
.endif
I suspect it isn't built due to it's very nature.
You could try using a trusted sockstat binary to verify what's listening
on the local system.
% sockstat -4l
You should be able to account for everything listed.
> Also the xl1 interface is not reported in the output and is the dmz
> interface that the above machine is on. ifconfig shows:
> xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
Odd if xl1 is not in promiscuous mode, but is not listed as such by the
script. However, I am not that familiar with chkrootkit. Perhaps it
placed xl1 in PROMISC while running? That can be verified by checking
ifconfig while chkrootkit is running...
ifconfig -a ...
<snip>
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
<snip>
> Oct 7 03:13:56 aji sendmail[91248]: g97A2rnm091248: SYSERR(root): collect:
> I/O error on connection from [203.48.40.139], from=<News@ineedhits.com>
> Oct 7 08:45:13 aji /kernel: file: table is full
<snip>
OK, most of these look IO related... But what's this mean?
> Oct 7 09:23:28 aji inetd[93322]: pop3/tcp: root: no such user
<snip>
> Oct 7 09:30:53 aji /kernel: pid 93340 (cron), uid 0: exited on signal 11
> (core dumped)
If 'root' really doesn't exist, then who is uid 0?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021007131203.L83742-100000>