Re: [Rkhunter-users] Kernel panic - possibly rkhunter's fault

[Nils Breunese (Lemonbit Internet)]

Mike Yates wrote:

> Hi
> This is how our server failed this morning:-
> 
> May  8 04:01:30 hawksvr5 smbd[948]:   Error writing 4 bytes to client. 
> -1. (Connection reset by peer)
> May  8 04:03:36 hawksvr5 kernel: BUG: unable to handle kernel NULL 
> pointer dereference at virtual address 000001b0
> May  8 04:03:36 hawksvr5 kernel:  printing eip:
> May  8 04:03:36 hawksvr5 kernel: c0496d32
> May  8 04:03:36 hawksvr5 kernel: *pde = 0b00f001
> May  8 04:03:36 hawksvr5 kernel: Oops: 0000 [#1]
> May  8 04:03:36 hawksvr5 kernel: SMP
> May  8 04:03:36 hawksvr5 kernel: last sysfs file: /block/sda/sda2/stat
> May  8 04:03:36 hawksvr5 kernel: Modules linked in: vmnet(U) parport_pc 
> vmmon(U) vfat fat loop nls_utf8 cifs nfsd exportfs lockd nfs_acl lp 
> deflate zlib_deflate twofish serpent blowfish sha256 crypto_null aes des 
> xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 eeprom i2c_isa tun 
> parport sunrpc dm_mod video button battery ac ipv6 uhci_hcd ehci_hcd 
> e752x_edac edac_mc hw_random i2c_i801 i2c_core
> e1000 ext3 jbd megaraid_mbox megaraid_mm sd_mod scsi_mod
> May  8 04:03:36 hawksvr5 kernel: CPU:    3
> May  8 04:03:36 hawksvr5 kernel: EIP:    0060:[<c0496d32>]    Tainted: P 
>      VLI
> May  8 04:03:36 hawksvr5 kernel: EFLAGS: 00010246   
> (2.6.17-1.2142_FC4smp #1)
> May  8 04:03:36 hawksvr5 kernel: EIP is at show_map_internal+0x95/0x21a
> May  8 04:03:36 hawksvr5 kernel: eax: 00000000   ebx: e1db8f40   ecx: 
> 00000000
>  edx: d5b62130
> May  8 04:03:36 hawksvr5 su(pam_unix)[31718]: session closed for user 
> ccm_root
> May  8 04:03:36 hawksvr5 kernel: esi: 00000070   edi: 00100071   ebp: 
> dec72a78
>  esp: e3bf8f10
> May  8 04:03:36 hawksvr5 su(pam_unix)[11781]: session opened for user 
> ccm_root by (uid=0)
> May  8 04:03:36 hawksvr5 kernel: ds: 007b   es: 007b   ss: 0068
> May  8 04:03:37 hawksvr5 kernel: Process lsof (pid: 11707, 
> threadinfo=e3bf8000 task=c36d19f0)
> May  8 04:03:37 hawksvr5 kernel: Stack: 00000000 00000001 00000008 
> 00122000 00000078 d5b62130 e20038c0 dcecb180
> May  8 04:03:37 hawksvr5 kernel:        002add28 c0496f01 c06ff310 
> e1db8f40 dec72a78 00000142 c0483a3b 00000400
> May  8 04:03:37 hawksvr5 kernel:        b7f60000 eb378ec0 e1db8f60 
> 00000000 00000005 00000000 00000004 00000000
> May  8 04:03:38 hawksvr5 kernel: Call Trace:
> May  8 04:03:38 hawksvr5 kernel:  <c0496f01> m_next+0x12/0x44 
>  <c0483a3b> seq_read+0x198/0x268
> May  8 04:03:38 hawksvr5 kernel:  <c04838a3> seq_read+0x0/0x268 
>  <c0466efc> vfs_read+0xa4/0x146
> May  8 04:03:38 hawksvr5 kernel:  <c04678bb> sys_read+0x3c/0x63 
>  <c0403d2f> syscall_call+0x7/0xb
> May  8 04:03:38 hawksvr5 kernel: Code: 24 0c 89 f8 24 80 3c 01 19 f6 83 
> e6 fd 83 c6 73 f7 c7 04 00 00 00 75 1e 83 3d 0c d2 7f c0 00 75 1f 8b 54 
> 24 14 8b 82 90 00 00 00 <8b> 80 b0 01 00 00 39 45 04 73 0a c7 44 24 10 
> 78 00 00 00 eb 08
> May  8 04:03:39 hawksvr5 kernel: EIP: [<c0496d32>] 
> show_map_internal+0x95/0x21a
> SS:ESP 0068:e3bf8f10
> May  8 04:03:39 hawksvr5 kernel:  <0>Fatal exception: panic in 5 seconds
> May  8 07:46:44 hawksvr5 syslogd 1.4.1: restart.
> 
> I love the way it "planned" to panic in 5 seconds!
> 
> The only other log record at 04:03 is /var/log/rkhunter.log:-
> 
> [04:03:34] -------------------------- Open files tests 
> ---------------------------
> [04:03:34] Scanning running processes...
> (END)
> 
> Which usually goes on:-
> 
> [04:03:03] -------------------------- Open files tests 
> ---------------------------
> [04:03:03] Scanning running processes... OK
> [04:03:04] Scanned for 
> 'backdoor|adore.so|mod_rootme.so|phide_mod.o|lbk.ko|vlogger.o|cleaner.o|mod_klgr.o|hydra|hydra.restore'
> [04:03:04] ----------------------- Login backdoors check 
> ------------------------
> 
> [EMAIL PROTECTED] <javascript:cia("new","[EMAIL PROTECTED]")> ~]# rkhunter 
> --version
> Rootkit Hunter 1.2.9
> [EMAIL PROTECTED] <javascript:cia("new","[EMAIL PROTECTED]")> ~]# uname -a
> Linux hawksvr5.linux.local 2.6.17-1.2142_FC4smp #1 SMP Tue Jul 11 
> 22:57:02 EDT 2006 i686 i686 i386 GNU/Linux
> 
> 
> Any ideas?

A kernel panic triggered by a userland application constitutes a bug in 
the kernel AFAIK. Why exactly do you believe this is a problem caused by 
rkhunter?

Fedora Core 4 is an EOL'd release by the way. Only Fedora Core 5 and 6 
are supported at the moment and even Fedora Core 5 will be EOL at the 
end of next month (around the time Fedora 7 will be released).

Nils Breunese.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users