Re: possible rootkit, maybe partial?

[Richard Rager <kb8rln () penguinmaster com>]

On Wed, 2 Apr 2003, Benjamin Tomhave wrote:

> Hello,
>
> I'm investigating a possible SucKIT rootkit compromise on a web server.  The
> server is a fully-patched RH8 system, running iptables limited to ssh, http,
> https and previously mysql (tcp 3306).  Kernel is RH 2.4.18-27.8.0.  The
> reason I'm at a bit of a loss here is because a) the tell-tale signs aren't
> consistent with documented suckit compromises, and b) there doesn't seem to
> be anything on the system comprising the rootkit.  Even chkrootkit comes up
> empty/clean.  Which makes me wonder if someone found a whole in a
> developer's php code, tried to load suckit, had it fail, and then walked
> away.  What I can say for certain is that this issue has arisen in the last
> 1-2 weeks (the current kernel appears to have been installed 3/20).
> Checking through /proc there doesn't appear to be anything unusual, either.
> tcpdump did not indicate any unexpected traffic.  No web pages have been
> defaced.
>
> Here's what leads me to believe that this is a rootkit compromise:
>
> # reboot
>
> Broadcast message from root (pts/0) (Wed Apr  2 20:27:23 2003):
>
> The system is going down for reboot NOW!
> /dev/null
> RK_Init: idt=0xc03b0000, sct[]=0xc03300f4, FUCK: Can't find kmalloc()!



   I had the same thing in a root kit called.  zk/backdoor 

Does the same thing..


Run somthing called CORND  <--all caps..

 


----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents