Security Incidents mailing list archives
Re: strange telnet behavior
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Tue, 19 Feb 2002 13:56:54 +0100 (MET)
On Mon, 18 Feb 2002, Vladimir Ivaschenko wrote:
_sysctl({{CTL_KERN, KERN_OSRELEASE}, 2, "2.2.16-22", 9, NULL, 0})
^^^^^^^^^
Red Hat Linux release 7.1 (Seawolf) Kernel 2.4.2-2 on an i586
^^^^^^^ Hmm...interesting. Also, you said you ran RH 7.0, not 7.1?
open("/etc/ld.so.preload", O_RDONLY) = 3
Most systems do not have ld.so.preload.
I.e., strace does not give any output after 'open("/etc/nsswitch.conf", O_RDONLY) = 3' ! If I try to use ltrace, the application blocks completely. chkrootkit does not give any alarms. The server is running RedHat 7.0.
Your machine's kernel has probably been tampered with. Or some core libraries. Or /etc/ld.so.preload (I recall there is a rootkit using this method to control all (dynamically linked) programs out there.) You need to reboot your machine using a clean copy of the OS and other software (preferrably a read-only one). --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- strange telnet behavior Vladimir Ivaschenko (Feb 18)
- Re: strange telnet behavior Pavel Kankovsky (Feb 20)
- Re: strange telnet behavior Vladimir Ivaschenko (Feb 20)
- Re: strange telnet behavior Bryan Andersen (Feb 20)
- Re: strange telnet behavior Gideon Lenkey (Feb 22)
- Re: strange telnet behavior Paul Gear (Feb 24)
- Re: strange telnet behavior Gideon Lenkey (Feb 22)
- Re: strange telnet behavior tfm (Feb 20)
- Solaris hack Jamie Lawrence (Feb 22)
- RE: Solaris hack Glenn Pitcher (Feb 24)
- strange udp packets Jason Robertson (Feb 24)
- Re: Solaris hack Matt K. (Feb 24)
- Re: Solaris hack Christopher X. Candreva (Feb 25)
- Solaris hack Jamie Lawrence (Feb 22)
- Re: strange telnet behavior Pavel Kankovsky (Feb 20)