[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rootkit not found by rkhunter

  Michael S Gilbert writes

> this looks like a standard privilege escalation (not a rootkit). it
> appears to be using one of the recent null pointer dereference kernel
> vulnerabilities.  your fricka machine is probably running one of the
> unpatched kernels ('uname -r' will tell you which version you are
> currently running).  chichek is up to date since it is preventing
> the dereferenced pointer from accessing mmap. 

  Hmmmm, here is a of machines affected and unaffected, with
  their kernel version

fricka  2.6.26-2-686
wotan   2.6.30-1-686
raneb   2.6.22-3-686
loge    2.6.26-2-686
trabbi  2.6.26-2-686
mutabor 2.6.26-2-686

not affected
khufu   2.6.30-1-686
chichek 2.6.30-1-686
nebka   2.6.26-2-686
sahure  2.6.30-1-amd64
snefru  2.6.30-1-686

  On Tuesday I replaced all but /root /etc /var and /home on wotan,
  which was the machine that has the SHV4/SHV5. It runs the latest
  kernel. A cracker came in as a non-priviledged user without deleting
  his history, that's how I found out how become got root. I spotted the
  break from root's deleted .bash_history and the user he got in as 
  from /var/log/auth.log.

  It looks like the affected machines run older kernels, so 
  I will follow your advice and upgrade. 

  Thanks and cheers,

  Thomas Krichel                    http://openlib.org/home/krichel
                                               skype: thomaskrichel

Reply to: