On Mon, 18 Feb 2002, Vladimir Ivaschenko wrote: > _sysctl({{CTL_KERN, KERN_OSRELEASE}, 2, "2.2.16-22", 9, NULL, 0}) ^^^^^^^^^ > Red Hat Linux release 7.1 (Seawolf) > Kernel 2.4.2-2 on an i586 ^^^^^^^ Hmm...interesting. Also, you said you ran RH 7.0, not 7.1? > open("/etc/ld.so.preload", O_RDONLY) = 3 Most systems do not have ld.so.preload. > I.e., strace does not give any output after > 'open("/etc/nsswitch.conf", O_RDONLY) = 3' ! If I try to use > ltrace, the application blocks completely. > > chkrootkit does not give any alarms. The server is running RedHat > 7.0. Your machine's kernel has probably been tampered with. Or some core libraries. Or /etc/ld.so.preload (I recall there is a rootkit using this method to control all (dynamically linked) programs out there.) You need to reboot your machine using a clean copy of the OS and other software (preferrably a read-only one). --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 20 2002 - 16:02:54 PST