Security Incidents mailing list archives
Re: possible rootkit, maybe partial?
From: Richard Rager <kb8rln () penguinmaster com>
Date: Wed, 2 Apr 2003 21:29:03 -0700 (MST)
On Wed, 2 Apr 2003, Benjamin Tomhave wrote:
Hello, I'm investigating a possible SucKIT rootkit compromise on a web server. The server is a fully-patched RH8 system, running iptables limited to ssh, http, https and previously mysql (tcp 3306). Kernel is RH 2.4.18-27.8.0. The reason I'm at a bit of a loss here is because a) the tell-tale signs aren't consistent with documented suckit compromises, and b) there doesn't seem to be anything on the system comprising the rootkit. Even chkrootkit comes up empty/clean. Which makes me wonder if someone found a whole in a developer's php code, tried to load suckit, had it fail, and then walked away. What I can say for certain is that this issue has arisen in the last 1-2 weeks (the current kernel appears to have been installed 3/20). Checking through /proc there doesn't appear to be anything unusual, either. tcpdump did not indicate any unexpected traffic. No web pages have been defaced. Here's what leads me to believe that this is a rootkit compromise: # reboot Broadcast message from root (pts/0) (Wed Apr 2 20:27:23 2003): The system is going down for reboot NOW! /dev/null RK_Init: idt=0xc03b0000, sct[]=0xc03300f4, FUCK: Can't find kmalloc()!
I had the same thing in a root kit called. zk/backdoor Does the same thing.. Run somthing called CORND <--all caps.. ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
Current thread:
- possible rootkit, maybe partial? Benjamin Tomhave (Apr 02)
- Re: [CERT] possible rootkit, maybe partial? ePAc (Apr 03)
- Re: possible rootkit, maybe partial? Richard Rager (Apr 03)
- Re: possible rootkit, maybe partial? D.C. van Moolenbroek (Apr 03)
- Re: [0.5OT answer]possible rootkit, maybe partial? nobody (Apr 03)