Sorry vmg35 is ubuntu 10.x machine
On Tue, Mar 1, 2011 at 3:06 PM, satish patel <[email protected]> wrote: > I have two identical system and i cross check with that system and i > found following result. > > Trojan infected system (what is this deleted ?) > > root@vmg035:/usr/local/src/ossec# cat /proc/1/maps > 7f6c7d145000-7f6c7d151000 r-xp 00000000 fb:01 6554 > /lib/libnss_files-2.11.1.so (deleted) > 7f6c7d151000-7f6c7d350000 ---p 0000c000 fb:01 6554 > /lib/libnss_files-2.11.1.so (deleted) > 7f6c7d350000-7f6c7d351000 r--p 0000b000 fb:01 6554 > /lib/libnss_files-2.11.1.so (deleted) > 7f6c7d351000-7f6c7d352000 rw-p 0000c000 fb:01 6554 > /lib/libnss_files-2.11.1.so (deleted) > 7f6c7d352000-7f6c7d35c000 r-xp 00000000 fb:01 6556 > /lib/libnss_nis-2.11.1.so (deleted) > 7f6c7d35c000-7f6c7d55b000 ---p 0000a000 fb:01 6556 > /lib/libnss_nis-2.11.1.so (deleted) > 7f6c7d55b000-7f6c7d55c000 r--p 00009000 fb:01 6556 > /lib/libnss_nis-2.11.1.so (deleted) > 7f6c7d55c000-7f6c7d55d000 rw-p 0000a000 fb:01 6556 > /lib/libnss_nis-2.11.1.so (deleted) > 7f6c7d55d000-7f6c7d574000 r-xp 00000000 fb:01 6551 > /lib/libnsl-2.11.1.so (deleted) > 7f6c7d574000-7f6c7d773000 ---p 00017000 fb:01 6551 > /lib/libnsl-2.11.1.so (deleted) > 7f6c7d773000-7f6c7d774000 r--p 00016000 fb:01 6551 > /lib/libnsl-2.11.1.so (deleted) > 7f6c7d774000-7f6c7d775000 rw-p 00017000 fb:01 6551 > /lib/libnsl-2.11.1.so (deleted) > 7f6c7d775000-7f6c7d777000 rw-p 00000000 00:00 0 > 7f6c7d777000-7f6c7d77f000 r-xp 00000000 fb:01 6552 > /lib/libnss_compat-2.11.1.so.dpkg-new (deleted) > 7f6c7d77f000-7f6c7d97e000 ---p 00008000 fb:01 6552 > /lib/libnss_compat-2.11.1.so.dpkg-new (deleted) > 7f6c7d97e000-7f6c7d97f000 r--p 00007000 fb:01 6552 > /lib/libnss_compat-2.11.1.so.dpkg-new (deleted) > 7f6c7d97f000-7f6c7d980000 rw-p 00008000 fb:01 6552 > /lib/libnss_compat-2.11.1.so.dpkg-new (deleted) > > > other identical system > > [root@test035 ~]# cat /proc/1/maps > 005c4000-005d1000 r-xp 00000000 fd:00 869076 /lib/libsepol.so.1 > 005d1000-005d2000 rw-p 0000c000 fd:00 869076 /lib/libsepol.so.1 > 005d2000-005da000 rw-p 005d2000 00:00 0 > 00665000-00672000 r-xp 00000000 fd:00 869075 /lib/libselinux.so.1 > 00672000-00673000 rw-p 0000d000 fd:00 869075 /lib/libselinux.so.1 > 00891000-008a7000 r-xp 00000000 fd:00 869014 /lib/ld-2.3.4.so > 008a7000-008a8000 r--p 00015000 fd:00 869014 /lib/ld-2.3.4.so > 008a8000-008a9000 rw-p 00016000 fd:00 869014 /lib/ld-2.3.4.so > 00987000-00988000 r-xp 00000000 fd:00 869031 /lib/libcwait.so > 00988000-00989000 rw-p 00000000 fd:00 869031 /lib/libcwait.so > 00adb000-00c05000 r-xp 00000000 fd:00 902502 /lib/tls/libc-2.3.4.so > 00c05000-00c07000 r--p 00129000 fd:00 902502 /lib/tls/libc-2.3.4.so > 00c07000-00c09000 rw-p 0012b000 fd:00 902502 /lib/tls/libc-2.3.4.so > 00c09000-00c0b000 rw-p 00c09000 00:00 0 > 08048000-0804f000 r-xp 00000000 fd:00 1613974 /sbin/init > 0804f000-08050000 rw-p 00007000 fd:00 1613974 /sbin/init > 0930a000-0932b000 rw-p 0930a000 00:00 0 > b7f74000-b7f76000 rw-p b7f74000 00:00 0 > bfe13000-c0000000 rw-p bfe13000 00:00 0 > > > > > > > > On Tue, Mar 1, 2011 at 3:00 PM, Castle, Shane <[email protected]> > wrote: >> I'd cross-check with one of the rootkit checking tools but yes, kinda >> looks like you've been pwned. >> >> -- >> Shane Castle >> Data Security Mgr, Boulder County IT >> CISSP GSEC GCIH >> >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] >> On Behalf Of satish patel >> Sent: Tuesday, March 01, 2011 12:53 >> To: [email protected] >> Subject: [ossec-list] Trojan found on Redhat AS4 >> >> I have just install OSSEC-2.5.1 version on one of Redhat AS4 linux >> machine and i got following message. What the hack is this ? is this >> real trojan ? >> >> >> Received From: vmg035->rootcheck >> Rule: 510 fired (level 7) -> "Host-based anomaly detection event >> (rootcheck)." >> Portion of the log(s): >> >> Trojaned version of file '/proc/1/maps' detected. Signature used: >> 'init.' (Suckit rootkit). >> >> -Satish >> >
