Re: rootkit not found by rkhunter

To: Debian Security <debian-security@lists.debian.org>
Subject: Re: rootkit not found by rkhunter
From: Michael S Gilbert <michael.s.gilbert@gmail.com>
Date: Sun, 4 Oct 2009 11:07:47 -0400
Message-id: <[🔎] 20091004110747.4b289a37.michael.s.gilbert@gmail.com>
In-reply-to: <[🔎] 20091004141535.GA23593@openlib.org>
References: <[🔎] 20091004141535.GA23593@openlib.org>

On Sun, 4 Oct 2009 10:15:35 -0400 Thomas Krichel wrote:
> krichel@fricka:~/a$ chmod 777 a
> krichel@fricka:~/a$ ./a
> root@fricka:~/a# 
...
> krichel@chichek:~/a$ chmod 777 a
> krichel@chichek:~/a$ ./a
> mmap: Permission denied

this looks like a standard privilege escalation (not a rootkit). it
appears to be using one of the recent null pointer dereference kernel
vulnerabilities.  your fricka machine is probably running one of the
unpatched kernels ('uname -r' will tell you which version you are
currently running).  chichek is up to date since it is preventing
the dereferenced pointer from accessing mmap. 

'apt-get update && apt-get upgrade' followed by a reboot into the new
kernel should bring you up to date.

mike

Reply to:

Follow-Ups:
- Re: rootkit not found by rkhunter
  - From: Thomas Krichel <krichel@openlib.org>
- Re: rootkit not found by rkhunter
  - From: Thomas Krichel <krichel@openlib.org>

References:
- rootkit not found by rkhunter
  - From: Thomas Krichel <krichel@openlib.org>

Prev by Date: Re: rootkit not found by rkhunter
Next by Date: Re: rootkit not found by rkhunter
Previous by thread: Re: rootkit not found by rkhunter
Next by thread: Re: rootkit not found by rkhunter
Index(es):
- Date
- Thread