Rootkit?
Hello,
In our Serverfarm i found different Machines not working properly. They show
up complaining:
webbox:/chkrootkit# gzip -d
gzip: invalid option -- d
Segmentation fault
The binarys running are take a look at /proc/uptime, what they are not
supposed to do:
webbox:/chkrootkit# strace -eopen ls
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/librt.so.1", O_RDONLY) = 3
open("/lib/libc.so.6", O_RDONLY) = 3
open("/lib/libpthread.so.0", O_RDONLY) = 3
open("/proc/uptime", O_RDONLY) = 3
open("/proc/4215/exe", O_RDONLY) = 3
--- SIGCHLD (Child exited) ---
open("/dev/null", O_RDONLY|O_NONBLOCK|O_DIRECTORY) = -1 ENOTDIR (Not a
directory)
open(".", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 5
open("/etc/mtab", O_RDONLY) = 5
open("/proc/meminfo", O_RDONLY) = 5
ACKNOWLEDGMENTS README check_wtmpx chkdirs.c chkpro
chkrootkit chkwtmp.c strings
COPYRIGHT README.chklastlog check_wtmpx.c chklastlog chkproc
chkrootkit.lsm ifpromisc strings.c
Makefile README.chkwtmp chkdirs chklastlog.c chkproc.c
chkwtmp ifpromisc.c
webbox:/chkrootkit#
Is this an rootkit installed, has someone experienced stuff like this? The
machine's are running debian 3.0 with differents kernel's
2.4.18-bf2.4 or an static 2.4.20
ta@domainbox.de
the countless lonely voices, like whispers in the dark...
Reply to: