On Mon, 18 Feb 2002, Vladimir Ivaschenko wrote:
> _sysctl({{CTL_KERN, KERN_OSRELEASE}, 2, "2.2.16-22", 9, NULL, 0})
^^^^^^^^^
> Red Hat Linux release 7.1 (Seawolf)
> Kernel 2.4.2-2 on an i586
^^^^^^^
Hmm...interesting. Also, you said you ran RH 7.0, not 7.1?
> open("/etc/ld.so.preload", O_RDONLY) = 3
Most systems do not have ld.so.preload.
> I.e., strace does not give any output after
> 'open("/etc/nsswitch.conf", O_RDONLY) = 3' ! If I try to use
> ltrace, the application blocks completely.
>
> chkrootkit does not give any alarms. The server is running RedHat
> 7.0.
Your machine's kernel has probably been tampered with. Or some core
libraries. Or /etc/ld.so.preload (I recall there is a rootkit using this
method to control all (dynamically linked) programs out there.)
You need to reboot your machine using a clean copy of the OS and
other software (preferrably a read-only one).
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 20 2002 - 16:02:54 PST