Pavel Kankovsky wrote about "Re: strange telnet behavior": > On Mon, 18 Feb 2002, Vladimir Ivaschenko wrote: > > > _sysctl({{CTL_KERN, KERN_OSRELEASE}, 2, "2.2.16-22", 9, NULL, 0}) > ^^^^^^^^^ > > Red Hat Linux release 7.1 (Seawolf) > > Kernel 2.4.2-2 on an i586 > ^^^^^^^ > Hmm...interesting. Also, you said you ran RH 7.0, not 7.1? Well, this is output of telnet on a remote machine. :) > > > open("/etc/ld.so.preload", O_RDONLY) = 3 > > Most systems do not have ld.so.preload. And that looks to be it! I cannot find file /etc/ld.so.preload on that machine (remote login via ssh). As well, if you look at the strace it also loads "/lib/libshow.so.0.9.5", which is also invisible to programs running on that machine. Unfortunately I'm in another place now and the admin guy there is not qualified enough to perform any analysis. I will try get my hands on it as soon as possible. I should have better looked at the beginning of strace... > Your machine's kernel has probably been tampered with. Or some core > libraries. Or /etc/ld.so.preload (I recall there is a rootkit using this > method to control all (dynamically linked) programs out there.) What is interesting, according to RPM MD5 for everything is correct.. So unless they tampered with RPM database, most probably it is in /etc/ld.so.preload. -- Best Regards Vladimir Ivaschenko Certified Linux Engineer (RHCE) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 20 2002 - 16:23:50 PST