Rootkit?

To: <debian-isp@lists.debian.org>
Subject: Rootkit?
From: "Domainbox, Tim Abenath" <ta@domainbox.de>
Date: Fri, 11 Jul 2003 11:00:27 +0200
Message-id: <[🔎] 002a01c3478a$dfa4bc00$2820a8c0@paul>

Hello,

In our Serverfarm i found different Machines not working properly. They show
up complaining:

webbox:/chkrootkit# gzip -d
gzip: invalid option -- d
Segmentation fault

The binarys running are take a look at /proc/uptime, what they are not
supposed to do:

webbox:/chkrootkit# strace -eopen ls
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib/librt.so.1", O_RDONLY)       = 3
open("/lib/libc.so.6", O_RDONLY)        = 3
open("/lib/libpthread.so.0", O_RDONLY)  = 3
open("/proc/uptime", O_RDONLY)          = 3
open("/proc/4215/exe", O_RDONLY)        = 3
--- SIGCHLD (Child exited) ---
open("/dev/null", O_RDONLY|O_NONBLOCK|O_DIRECTORY) = -1 ENOTDIR (Not a
directory)
open(".", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 5
open("/etc/mtab", O_RDONLY)             = 5
open("/proc/meminfo", O_RDONLY)         = 5
ACKNOWLEDGMENTS  README             check_wtmpx    chkdirs.c     chkpro
chkrootkit      chkwtmp.c    strings
COPYRIGHT        README.chklastlog  check_wtmpx.c  chklastlog    chkproc
chkrootkit.lsm  ifpromisc    strings.c
Makefile         README.chkwtmp     chkdirs        chklastlog.c  chkproc.c
chkwtmp         ifpromisc.c
webbox:/chkrootkit#

Is this an rootkit installed, has someone experienced stuff like this? The
machine's are running debian 3.0 with differents kernel's
2.4.18-bf2.4 or an static 2.4.20

ta@domainbox.de
the countless lonely voices, like whispers in the dark...

Reply to:

Follow-Ups:
- Re: Rootkit?
  - From: "Jason Lim" <maillist@jasonlim.com>

Prev by Date: RE: semi-remote net
Next by Date: Re: Rootkit?
Previous by thread: Re: sane trouble-ticket systems
Next by thread: Re: Rootkit?
Index(es):
- Date
- Thread