|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
possible rootkit, maybe partial?
From: Benjamin Tomhave (falcon
cybersecret.com)
Date: Wed Apr 02 2003 - 21:47:05 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
I'm investigating a possible SucKIT rootkit compromise on a web server. The
server is a fully-patched RH8 system, running iptables limited to ssh, http,
https and previously mysql (tcp 3306). Kernel is RH 2.4.18-27.8.0. The
reason I'm at a bit of a loss here is because a) the tell-tale signs aren't
consistent with documented suckit compromises, and b) there doesn't seem to
be anything on the system comprising the rootkit. Even chkrootkit comes up
empty/clean. Which makes me wonder if someone found a whole in a
developer's php code, tried to load suckit, had it fail, and then walked
away. What I can say for certain is that this issue has arisen in the last
1-2 weeks (the current kernel appears to have been installed 3/20).
Checking through /proc there doesn't appear to be anything unusual, either.
tcpdump did not indicate any unexpected traffic. No web pages have been
defaced.
Here's what leads me to believe that this is a rootkit compromise:
# reboot
Broadcast message from root (pts/0) (Wed Apr 2 20:27:23 2003):
The system is going down for reboot NOW!
/dev/null
RK_Init: idt=0xc03b0000, sct[]=0xc03300f4, FUCK: Can't find kmalloc()!
Now, call me crazy, but the last part of the last line doesn't strike me as
something that belongs. As it stands right now, I'm slating this box for
low-level format and reinstall within the week. Since it doesn't seem to be
an active zombie or anything, and since I'm still not 100% sure this is a
compromised system, I'll take the chance of waiting. I may also try
reinstalling the kernel just to see if that makes a difference, too.
Does this look familiar or suspicious to anyone else? Anybody have any
ideas on further diagnostics that I could run "just to be sure"?
Thank you,
-ben
***************************************
Benjamin Tomhave
falconcybersecret.com
http://falcon.secureconsulting.net/
----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]