possible rootkit, maybe partial?

From: Benjamin Tomhave (falconat_private)
Date: Wed Apr 02 2003 - 19:47:05 PST

Next message: ePAc: "Re: [CERT] possible rootkit, maybe partial?"

Previous message: Jeff Lane: "Increase of attempts on port 635 in last couple days"
Next in thread: ePAc: "Re: [CERT] possible rootkit, maybe partial?"
Reply: ePAc: "Re: [CERT] possible rootkit, maybe partial?"
Reply: Richard Rager: "Re: possible rootkit, maybe partial?"
Reply: D.C. van Moolenbroek: "Re: possible rootkit, maybe partial?"
Reply: nobody: "Re: [0.5OT answer]possible rootkit, maybe partial?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I'm investigating a possible SucKIT rootkit compromise on a web server.  The
server is a fully-patched RH8 system, running iptables limited to ssh, http,
https and previously mysql (tcp 3306).  Kernel is RH 2.4.18-27.8.0.  The
reason I'm at a bit of a loss here is because a) the tell-tale signs aren't
consistent with documented suckit compromises, and b) there doesn't seem to
be anything on the system comprising the rootkit.  Even chkrootkit comes up
empty/clean.  Which makes me wonder if someone found a whole in a
developer's php code, tried to load suckit, had it fail, and then walked
away.  What I can say for certain is that this issue has arisen in the last
1-2 weeks (the current kernel appears to have been installed 3/20).
Checking through /proc there doesn't appear to be anything unusual, either.
tcpdump did not indicate any unexpected traffic.  No web pages have been
defaced.

Here's what leads me to believe that this is a rootkit compromise:

# reboot

Broadcast message from root (pts/0) (Wed Apr  2 20:27:23 2003):

The system is going down for reboot NOW!
/dev/null
RK_Init: idt=0xc03b0000, sct[]=0xc03300f4, FUCK: Can't find kmalloc()!

Now, call me crazy, but the last part of the last line doesn't strike me as
something that belongs.  As it stands right now, I'm slating this box for
low-level format and reinstall within the week.  Since it doesn't seem to be
an active zombie or anything, and since I'm still not 100% sure this is a
compromised system, I'll take the chance of waiting.  I may also try
reinstalling the kernel just to see if that makes a difference, too.

Does this look familiar or suspicious to anyone else?  Anybody have any
ideas on further diagnostics that I could run "just to be sure"?

Thank you,

-ben

***************************************
 Benjamin Tomhave
 falconat_private
 http://falcon.secureconsulting.net/


----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents

Next message: ePAc: "Re: [CERT] possible rootkit, maybe partial?"
Previous message: Jeff Lane: "Increase of attempts on port 635 in last couple days"
Next in thread: ePAc: "Re: [CERT] possible rootkit, maybe partial?"
Reply: ePAc: "Re: [CERT] possible rootkit, maybe partial?"
Reply: Richard Rager: "Re: possible rootkit, maybe partial?"
Reply: D.C. van Moolenbroek: "Re: possible rootkit, maybe partial?"
Reply: nobody: "Re: [0.5OT answer]possible rootkit, maybe partial?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 02 2003 - 20:10:59 PST