My first thought would be towards some sort of module hack. That is a module that loads, modify something in the kernel (replaces some functions) and then unloads, but leaving the code availble. Of course, i have no clue how you would check for such a thing, but i would guess that it would be loaded by something like modutil or devfsd. have you checked to see if you have some module somewhere in the tree under /lib/modules/xxx that has no business being there ? I hope this helps.. ePAc On Wed, 2 Apr 2003, Benjamin Tomhave wrote: > Date: Wed, 2 Apr 2003 20:47:05 -0700 > From: Benjamin Tomhave <falconat_private> > To: incidentsat_private > Subject: [CERT] possible rootkit, maybe partial? > > Hello, > > I'm investigating a possible SucKIT rootkit compromise on a web server. The > server is a fully-patched RH8 system, running iptables limited to ssh, http, > https and previously mysql (tcp 3306). Kernel is RH 2.4.18-27.8.0. The > reason I'm at a bit of a loss here is because a) the tell-tale signs aren't > consistent with documented suckit compromises, and b) there doesn't seem to > be anything on the system comprising the rootkit. Even chkrootkit comes up > empty/clean. Which makes me wonder if someone found a whole in a > developer's php code, tried to load suckit, had it fail, and then walked > away. What I can say for certain is that this issue has arisen in the last > 1-2 weeks (the current kernel appears to have been installed 3/20). > Checking through /proc there doesn't appear to be anything unusual, either. > tcpdump did not indicate any unexpected traffic. No web pages have been > defaced. > > Here's what leads me to believe that this is a rootkit compromise: > > # reboot > > Broadcast message from root (pts/0) (Wed Apr 2 20:27:23 2003): > > The system is going down for reboot NOW! > /dev/null > RK_Init: idt=0xc03b0000, sct[]=0xc03300f4, FUCK: Can't find kmalloc()! > > Now, call me crazy, but the last part of the last line doesn't strike me as > something that belongs. As it stands right now, I'm slating this box for > low-level format and reinstall within the week. Since it doesn't seem to be > an active zombie or anything, and since I'm still not 100% sure this is a > compromised system, I'll take the chance of waiting. I may also try > reinstalling the kernel just to see if that makes a difference, too. > > Does this look familiar or suspicious to anyone else? Anybody have any > ideas on further diagnostics that I could run "just to be sure"? > > Thank you, > > -ben > > *************************************** > Benjamin Tomhave > falconat_private > http://falcon.secureconsulting.net/ > > > ---------------------------------------------------------------------------- > Powerful Anti-Spam Management and More... > SurfControl E-mail Filter puts the brakes on spam, > viruses and malicious code. Safeguard your business > critical communications. Download a free 30-day trial: > http://www.securityfocus.com/SurfControl-incidents > --- Nothing is foolproof to a sufficiently talented fool... oo ,(..)\ ~~ ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 16:29:54 PST