[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Am 17.12.2010 14:01, schrieb Vladislav Kurz:
On Friday 17 of December 2010, you wrote:
Am 17.12.2010 13:49, schrieb Vladislav Kurz:
On Friday 17 of December 2010, you wrote:
Am 17.12.2010 13:17, schrieb Vladislav Kurz:
On Friday 17 of December 2010, Carlos Alberto Lopez Perez wrote:
On 12/17/2010 12:35 PM, Vladislav Kurz wrote:
On Friday 17 of December 2010, Thorsten Göllner wrote:

The other point is that pstree reports a process "zinit" I never saw
in the past:


But I do not have any idea what it is. And I can not see the process
with "ps":
If pstree shows zinit and ps does not, it might mean that you are
already rooted (owned, hacked, cracked, etc), and your ps binary was
modified to hide the presence of rootkit named zinit.
Good point.

Try to check the md5sum of ps:

# apt-get install debsums
# debsums procps
just for reference - md5sum of /bin/ps on i386/lenny
(checked from freshly downloaded package)

a6094706266c8ec3b068cf964824afee  /bin/ps
Thanks! My package matches.
Hmm, that's strange, cause if it's hacked, it shouldn't match.
Maybe even md5sum is hacked.

Please download procps, and md5sum on some clean computer, get them on
the problem machine, preferably on CD or some other non-writable media
and run those clean binaries.

Or if you can take your server down, reboot from any live-CD and check
md5sums again, using md5sum from live-cd.
Uh! OK, I now do not have really a chance to access the box (too far
away). Coudl you give me this from your box?
# shasum /bin/ps
234bba6212ca0cee9718bd74316d7c81e5e0b570  /bin/ps
its the same:
234bba6212ca0cee9718bd74316d7c81e5e0b570  /bin/ps

hmmmm, maybe the rootkit did not modify ps, but some system call that is used
by ps. Is it still so that "ps ax" does not show zinit and pstree does? what
about top?

I removed /sbin/zinit and did a reboot. The process is gone and I can not find out more about it now, sorry.

So my "big" last ciritical question is "Shall I reinstall":
- /usr/bin/md5sum seems to be ok
- all installed packages are checked via debsums (maybe the local md5-databse has been manipulated? Can I update this database via dpkg?)
- zinit is gone
- no suspicious listening process can be found. A portscan is fine.
- /etc/passwd is ok
- Passwords were changed
- iptables -L is fine
- chkrootkit is fine (running from running system NOT from LiveCD)

Hard to say ...

Reply to: