Re: strange telnet behavior

[Pavel Kankovsky <peak () argo troja mff cuni cz>]

On Mon, 18 Feb 2002, Vladimir Ivaschenko wrote:

> _sysctl({{CTL_KERN, KERN_OSRELEASE}, 2, "2.2.16-22", 9, NULL, 0}) 
                                           ^^^^^^^^^
> Red Hat Linux release 7.1 (Seawolf)
> Kernel 2.4.2-2 on an i586
         ^^^^^^^
Hmm...interesting. Also, you said you ran RH 7.0, not 7.1?

> open("/etc/ld.so.preload", O_RDONLY)    = 3

Most systems do not have ld.so.preload.

> I.e., strace does not give any output after 
> 'open("/etc/nsswitch.conf", O_RDONLY)    = 3' ! If I try to use 
> ltrace, the application blocks completely.
>
> chkrootkit does not give any alarms. The server is running RedHat 
> 7.0.

Your machine's kernel has probably been tampered with. Or some core
libraries. Or /etc/ld.so.preload (I recall there is a rootkit using this
method to control all (dynamically linked) programs out there.)

You need to reboot your machine using a clean copy of the OS and
other software (preferrably a read-only one).

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com