Mike Yates wrote: > Hi > This is how our server failed this morning:- > > May 8 04:01:30 hawksvr5 smbd[948]: Error writing 4 bytes to client. > -1. (Connection reset by peer) > May 8 04:03:36 hawksvr5 kernel: BUG: unable to handle kernel NULL > pointer dereference at virtual address 000001b0 > May 8 04:03:36 hawksvr5 kernel: printing eip: > May 8 04:03:36 hawksvr5 kernel: c0496d32 > May 8 04:03:36 hawksvr5 kernel: *pde = 0b00f001 > May 8 04:03:36 hawksvr5 kernel: Oops: 0000 [#1] > May 8 04:03:36 hawksvr5 kernel: SMP > May 8 04:03:36 hawksvr5 kernel: last sysfs file: /block/sda/sda2/stat > May 8 04:03:36 hawksvr5 kernel: Modules linked in: vmnet(U) parport_pc > vmmon(U) vfat fat loop nls_utf8 cifs nfsd exportfs lockd nfs_acl lp > deflate zlib_deflate twofish serpent blowfish sha256 crypto_null aes des > xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 eeprom i2c_isa tun > parport sunrpc dm_mod video button battery ac ipv6 uhci_hcd ehci_hcd > e752x_edac edac_mc hw_random i2c_i801 i2c_core > e1000 ext3 jbd megaraid_mbox megaraid_mm sd_mod scsi_mod > May 8 04:03:36 hawksvr5 kernel: CPU: 3 > May 8 04:03:36 hawksvr5 kernel: EIP: 0060:[<c0496d32>] Tainted: P > VLI > May 8 04:03:36 hawksvr5 kernel: EFLAGS: 00010246 > (2.6.17-1.2142_FC4smp #1) > May 8 04:03:36 hawksvr5 kernel: EIP is at show_map_internal+0x95/0x21a > May 8 04:03:36 hawksvr5 kernel: eax: 00000000 ebx: e1db8f40 ecx: > 00000000 > edx: d5b62130 > May 8 04:03:36 hawksvr5 su(pam_unix)[31718]: session closed for user > ccm_root > May 8 04:03:36 hawksvr5 kernel: esi: 00000070 edi: 00100071 ebp: > dec72a78 > esp: e3bf8f10 > May 8 04:03:36 hawksvr5 su(pam_unix)[11781]: session opened for user > ccm_root by (uid=0) > May 8 04:03:36 hawksvr5 kernel: ds: 007b es: 007b ss: 0068 > May 8 04:03:37 hawksvr5 kernel: Process lsof (pid: 11707, > threadinfo=e3bf8000 task=c36d19f0) > May 8 04:03:37 hawksvr5 kernel: Stack: 00000000 00000001 00000008 > 00122000 00000078 d5b62130 e20038c0 dcecb180 > May 8 04:03:37 hawksvr5 kernel: 002add28 c0496f01 c06ff310 > e1db8f40 dec72a78 00000142 c0483a3b 00000400 > May 8 04:03:37 hawksvr5 kernel: b7f60000 eb378ec0 e1db8f60 > 00000000 00000005 00000000 00000004 00000000 > May 8 04:03:38 hawksvr5 kernel: Call Trace: > May 8 04:03:38 hawksvr5 kernel: <c0496f01> m_next+0x12/0x44 > <c0483a3b> seq_read+0x198/0x268 > May 8 04:03:38 hawksvr5 kernel: <c04838a3> seq_read+0x0/0x268 > <c0466efc> vfs_read+0xa4/0x146 > May 8 04:03:38 hawksvr5 kernel: <c04678bb> sys_read+0x3c/0x63 > <c0403d2f> syscall_call+0x7/0xb > May 8 04:03:38 hawksvr5 kernel: Code: 24 0c 89 f8 24 80 3c 01 19 f6 83 > e6 fd 83 c6 73 f7 c7 04 00 00 00 75 1e 83 3d 0c d2 7f c0 00 75 1f 8b 54 > 24 14 8b 82 90 00 00 00 <8b> 80 b0 01 00 00 39 45 04 73 0a c7 44 24 10 > 78 00 00 00 eb 08 > May 8 04:03:39 hawksvr5 kernel: EIP: [<c0496d32>] > show_map_internal+0x95/0x21a > SS:ESP 0068:e3bf8f10 > May 8 04:03:39 hawksvr5 kernel: <0>Fatal exception: panic in 5 seconds > May 8 07:46:44 hawksvr5 syslogd 1.4.1: restart. > > I love the way it "planned" to panic in 5 seconds! > > The only other log record at 04:03 is /var/log/rkhunter.log:- > > [04:03:34] -------------------------- Open files tests > --------------------------- > [04:03:34] Scanning running processes... > (END) > > Which usually goes on:- > > [04:03:03] -------------------------- Open files tests > --------------------------- > [04:03:03] Scanning running processes... OK > [04:03:04] Scanned for > 'backdoor|adore.so|mod_rootme.so|phide_mod.o|lbk.ko|vlogger.o|cleaner.o|mod_klgr.o|hydra|hydra.restore' > [04:03:04] ----------------------- Login backdoors check > ------------------------ > > [EMAIL PROTECTED] <javascript:cia("new","[EMAIL PROTECTED]")> ~]# rkhunter > --version > Rootkit Hunter 1.2.9 > [EMAIL PROTECTED] <javascript:cia("new","[EMAIL PROTECTED]")> ~]# uname -a > Linux hawksvr5.linux.local 2.6.17-1.2142_FC4smp #1 SMP Tue Jul 11 > 22:57:02 EDT 2006 i686 i686 i386 GNU/Linux > > > Any ideas?
A kernel panic triggered by a userland application constitutes a bug in the kernel AFAIK. Why exactly do you believe this is a problem caused by rkhunter? Fedora Core 4 is an EOL'd release by the way. Only Fedora Core 5 and 6 are supported at the moment and even Fedora Core 5 will be EOL at the end of next month (around the time Fedora 7 will be released). Nils Breunese. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users