On Wed, 2 Apr 2003, Benjamin Tomhave wrote: > Hello, > > I'm investigating a possible SucKIT rootkit compromise on a web server. The > server is a fully-patched RH8 system, running iptables limited to ssh, http, > https and previously mysql (tcp 3306). Kernel is RH 2.4.18-27.8.0. The > reason I'm at a bit of a loss here is because a) the tell-tale signs aren't > consistent with documented suckit compromises, and b) there doesn't seem to > be anything on the system comprising the rootkit. Even chkrootkit comes up > empty/clean. Which makes me wonder if someone found a whole in a > developer's php code, tried to load suckit, had it fail, and then walked > away. What I can say for certain is that this issue has arisen in the last > 1-2 weeks (the current kernel appears to have been installed 3/20). > Checking through /proc there doesn't appear to be anything unusual, either. > tcpdump did not indicate any unexpected traffic. No web pages have been > defaced. > > Here's what leads me to believe that this is a rootkit compromise: > > # reboot > > Broadcast message from root (pts/0) (Wed Apr 2 20:27:23 2003): > > The system is going down for reboot NOW! > /dev/null > RK_Init: idt=0xc03b0000, sct[]=0xc03300f4, FUCK: Can't find kmalloc()! I had the same thing in a root kit called. zk/backdoor Does the same thing.. Run somthing called CORND <--all caps.. ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 16:31:51 PST