Re: rootkit not found by rkhunter
Michael S Gilbert writes
> this looks like a standard privilege escalation (not a rootkit). it
> appears to be using one of the recent null pointer dereference kernel
> vulnerabilities. your fricka machine is probably running one of the
> unpatched kernels ('uname -r' will tell you which version you are
> currently running). chichek is up to date since it is preventing
> the dereferenced pointer from accessing mmap.
Hmmmm, here is a of machines affected and unaffected, with
their kernel version
affected
fricka 2.6.26-2-686
wotan 2.6.30-1-686
raneb 2.6.22-3-686
loge 2.6.26-2-686
trabbi 2.6.26-2-686
mutabor 2.6.26-2-686
not affected
khufu 2.6.30-1-686
chichek 2.6.30-1-686
nebka 2.6.26-2-686
sahure 2.6.30-1-amd64
snefru 2.6.30-1-686
On Tuesday I replaced all but /root /etc /var and /home on wotan,
which was the machine that has the SHV4/SHV5. It runs the latest
kernel. A cracker came in as a non-priviledged user without deleting
his history, that's how I found out how become got root. I spotted the
break from root's deleted .bash_history and the user he got in as
from /var/log/auth.log.
It looks like the affected machines run older kernels, so
I will follow your advice and upgrade.
Thanks and cheers,
Thomas Krichel http://openlib.org/home/krichel
RePEc:per:1965-06-05:thomas_krichel
skype: thomaskrichel
Reply to: