On Mon, 7 Oct 2002, Riley wrote:
> I could sure use some help interpreting this. A 4.6.2-RELEASE-p2 system
> (running bind 8.3.3-REL and sendmail 8.12.3) started getting syslog messages
> like:

I haven't kept up with Sendmail since Postfix made its debut, but I don't
believe there's anything wrong with BIND 8.3.3 (yet).

> /kernel: file: table is full

If you haven't tuned this server already, this could be quite common and
mundane.

> I took this as a side effect of a recent spamassassin install/upgrade (2.41)
> and increased kern.maxfiles to 8192 and max.vnodes to 16384.

I'm not sure how busy this machine is (sounds like it's a firewall and
mailserver+antivirus), but I set the following in /boot/loader.conf on my
busier servers:

kern.maxusers=256
kern.ipc.nmbclusters=16384

This is a machine with 1GB of RAM. This results in the following sysctl
values:

kern.maxfiles: 8232
kern.maxfilesperproc: 7408
kern.maxvnodes: 68387

Note "maxfilesperproc". That may be important to you.

> Checking `bindshell'... INFECTED (PORTS: 114)
> netstat -an doesn't show anything on 114 and nothing unusual.
> I'm not sure what to think about "can't exec ./chkproc".

First, from chkrootkit.org:

Q. Which commands does chkrootkit use?
A. The following commands are used by the chkrootkit script:
   awk, cut, echo, egrep, find, head, id, ls, netstat, ps, strings,
   sed, uname

If you suspect you've been compromised... It would be best not to trust
those system binaries. Read the documentation/webpage and make sure
you're using a safe set of binaries to check your system.

From the docs, chkproc seems to be /proc intensive. The port's Makefile
does not mention chkproc:

do-install:
    ${INSTALL_SCRIPT} ${WRKSRC}/chkrootkit ${PREFIX}/sbin
    ${INSTALL_PROGRAM} ${WRKSRC}/chklastlog ${PREFIX}/sbin
    ${INSTALL_PROGRAM} ${WRKSRC}/chkwtmp ${PREFIX}/sbin
    ${INSTALL_PROGRAM} ${WRKSRC}/ifpromisc ${PREFIX}/sbin
.if !defined(NOPORTDOCS)
    ${MKDIR} ${PREFIX}/share/doc/chkrootkit
    ${INSTALL_DATA} ${DOCFILES:C,^,${WRKSRC}/,} ${PREFIX}/share/doc/chkrootkit
.endif

I suspect it isn't built due to it's very nature.

You could try using a trusted sockstat binary to verify what's listening
on the local system.

% sockstat -4l

You should be able to account for everything listed.

> Also the xl1 interface is not reported in the output and is the dmz
> interface that the above machine is on. ifconfig shows:
> xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

Odd if xl1 is not in promiscuous mode, but is not listed as such by the
script. However, I am not that familiar with chkrootkit. Perhaps it
placed xl1 in PROMISC while running? That can be verified by checking
ifconfig while chkrootkit is running...

ifconfig -a ...
<snip>
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
<snip>

> Oct 7 03:13:56 aji sendmail[91248]: g97A2rnm091248: SYSERR(root): collect:
> I/O error on connection from [203.48.40.139], from=<Newsineedhits.com>
> Oct 7 08:45:13 aji /kernel: file: table is full
<snip>

OK, most of these look IO related... But what's this mean?

> Oct 7 09:23:28 aji inetd[93322]: pop3/tcp: root: no such user
<snip>
> Oct 7 09:30:53 aji /kernel: pid 93340 (cron), uid 0: exited on signal 11
> (core dumped)

If 'root' really doesn't exist, then who is uid 0?

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]