On Sun, Oct 04, 2009 at 11:44:52AM -0400, Thomas Krichel wrote: > > this looks like a standard privilege escalation (not a rootkit). it > > appears to be using one of the recent null pointer dereference kernel > > vulnerabilities. your fricka machine is probably running one of the > > unpatched kernels ('uname -r' will tell you which version you are > > currently running). chichek is up to date since it is preventing > > the dereferenced pointer from accessing mmap. > > Hmmmm, here is a of machines affected and unaffected, with > their kernel version > > affected > fricka 2.6.26-2-686 ... The kernel version reported by uname is not enough to determine the security status of the kernel. The kernel version number only changes when the kernel ABI changes. Security updates are often applied without ABI bumps. For example, kernel 2.6.26-2-686 was introduced by linux 2.6.26-14. However, the current version is 2.6.26-19. Several securty fixes were introduced in the various releases between those two versions, yet the version reported by uname was unchanged. You need to make sure that the machine actually gets rebooted when security updates are made. AFAIK, the best way to know if you're running a stale kernel is to compare the uptime of the machine against the mtime of the actual kernel (using, e.g. "stat /boot/vmlinuz-2.6.26-2-686"). If the uptime of the machine places the last reboot sometime before the kernel was updated, you're not up to date. If there's a better way to test this, I'd love to know about it. noah
Attachment:
signature.asc
Description: Digital signature