hello,
Yes i have an idea.Your server runs Fedora core (4) that version is not
supported anymore.You will no longer receive security updates to packages for
Fedora core 4.For a production you should highly consider changing your os to a
"enterprise level" supported os.Occording to me that's the key of your
problem.Probably you are running a kernel with security holes...
regards,
Erik
----- Original Message -----
From: Mike Yates
To: [email protected]
Sent: Tuesday, May 08, 2007 12:23 PM
Subject: [Rkhunter-users] Kernel panic - possibly rkhunter's fault
Hi
This is how our server failed this morning:-
May 8 04:01:30 hawksvr5 smbd[948]: Error writing 4 bytes to client. -1.
(Connection reset by peer)
May 8 04:03:36 hawksvr5 kernel: BUG: unable to handle kernel NULL pointer
dereference at virtual address 000001b0
May 8 04:03:36 hawksvr5 kernel: printing eip:
May 8 04:03:36 hawksvr5 kernel: c0496d32
May 8 04:03:36 hawksvr5 kernel: *pde = 0b00f001
May 8 04:03:36 hawksvr5 kernel: Oops: 0000 [#1]
May 8 04:03:36 hawksvr5 kernel: SMP
May 8 04:03:36 hawksvr5 kernel: last sysfs file: /block/sda/sda2/stat
May 8 04:03:36 hawksvr5 kernel: Modules linked in: vmnet(U) parport_pc
vmmon(U) vfat fat loop nls_utf8 cifs nfsd exportfs lockd nfs_acl lp deflate
zlib_deflate twofish serpent blowfish sha256 crypto_null aes des xfrm4_tunnel
tunnel4 ipcomp esp4 ah4 af_key autofs4 eeprom i2c_isa tun parport sunrpc dm_mod
video button battery ac ipv6 uhci_hcd ehci_hcd e752x_edac edac_mc hw_random
i2c_i801 i2c_core
e1000 ext3 jbd megaraid_mbox megaraid_mm sd_mod scsi_mod
May 8 04:03:36 hawksvr5 kernel: CPU: 3
May 8 04:03:36 hawksvr5 kernel: EIP: 0060:[<c0496d32>] Tainted: P
VLI
May 8 04:03:36 hawksvr5 kernel: EFLAGS: 00010246 (2.6.17-1.2142_FC4smp #1)
May 8 04:03:36 hawksvr5 kernel: EIP is at show_map_internal+0x95/0x21a
May 8 04:03:36 hawksvr5 kernel: eax: 00000000 ebx: e1db8f40 ecx: 00000000
edx: d5b62130
May 8 04:03:36 hawksvr5 su(pam_unix)[31718]: session closed for user ccm_root
May 8 04:03:36 hawksvr5 kernel: esi: 00000070 edi: 00100071 ebp: dec72a78
esp: e3bf8f10
May 8 04:03:36 hawksvr5 su(pam_unix)[11781]: session opened for user
ccm_root by (uid=0)
May 8 04:03:36 hawksvr5 kernel: ds: 007b es: 007b ss: 0068
May 8 04:03:37 hawksvr5 kernel: Process lsof (pid: 11707,
threadinfo=e3bf8000 task=c36d19f0)
May 8 04:03:37 hawksvr5 kernel: Stack: 00000000 00000001 00000008 00122000
00000078 d5b62130 e20038c0 dcecb180
May 8 04:03:37 hawksvr5 kernel: 002add28 c0496f01 c06ff310 e1db8f40
dec72a78 00000142 c0483a3b 00000400
May 8 04:03:37 hawksvr5 kernel: b7f60000 eb378ec0 e1db8f60 00000000
00000005 00000000 00000004 00000000
May 8 04:03:38 hawksvr5 kernel: Call Trace:
May 8 04:03:38 hawksvr5 kernel: <c0496f01> m_next+0x12/0x44 <c0483a3b>
seq_read+0x198/0x268
May 8 04:03:38 hawksvr5 kernel: <c04838a3> seq_read+0x0/0x268 <c0466efc>
vfs_read+0xa4/0x146
May 8 04:03:38 hawksvr5 kernel: <c04678bb> sys_read+0x3c/0x63 <c0403d2f>
syscall_call+0x7/0xb
May 8 04:03:38 hawksvr5 kernel: Code: 24 0c 89 f8 24 80 3c 01 19 f6 83 e6 fd
83 c6 73 f7 c7 04 00 00 00 75 1e 83 3d 0c d2 7f c0 00 75 1f 8b 54 24 14 8b 82
90 00 00 00 <8b> 80 b0 01 00 00 39 45 04 73 0a c7 44 24 10 78 00 00 00 eb 08
May 8 04:03:39 hawksvr5 kernel: EIP: [<c0496d32>]
show_map_internal+0x95/0x21a
SS:ESP 0068:e3bf8f10
May 8 04:03:39 hawksvr5 kernel: <0>Fatal exception: panic in 5 seconds
May 8 07:46:44 hawksvr5 syslogd 1.4.1: restart.
I love the way it "planned" to panic in 5 seconds!
The only other log record at 04:03 is /var/log/rkhunter.log:-
[04:03:34] -------------------------- Open files tests
---------------------------
[04:03:34] Scanning running processes...
(END)
Which usually goes on:-
[04:03:03] -------------------------- Open files tests
---------------------------
[04:03:03] Scanning running processes... OK
[04:03:04] Scanned for
'backdoor|adore.so|mod_rootme.so|phide_mod.o|lbk.ko|vlogger.o|cleaner.o|mod_klgr.o|hydra|hydra.restore'
[04:03:04] ----------------------- Login backdoors check
------------------------
[EMAIL PROTECTED] ~]# rkhunter --version
Rootkit Hunter 1.2.9
[EMAIL PROTECTED] ~]# uname -a
Linux hawksvr5.linux.local 2.6.17-1.2142_FC4smp #1 SMP Tue Jul 11 22:57:02
EDT 2006 i686 i686 i386 GNU/Linux
Any ideas?
Mike Yates CMBCS (ISSG)
IT Support Engineer
------------------------------------------------------------------------------
Hawkgrove Ltd - Software Systems Design
2, The Business Courtyard, Marl Pits Lane, Trudoxhill, Frome, Somerset, BA11
5DL, UK
+44 (0)1373 837900 fax: +44 (0)8700 518155
Registered in England: 2756481 VAT Reg: UK 601 1137 11
Registered Office: NSO Associates LLP, 75 Springfield Road, Chelmsford, Essex
CM2 6JB
All e-mail is subject to contract and is not intended to create a legally
binding agreement.
Hawkgrove Ltd will only be bound by an agreement in writing signed by an
authorized signatory.
All outgoing email is scanned by Symantec Corporate Antivirus.
------------------------------------------------------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
------------------------------------------------------------------------------
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
