Mike Yates wrote:
> Hi
> This is how our server failed this morning:-
>
> May 8 04:01:30 hawksvr5 smbd[948]: Error writing 4 bytes to client.
> -1. (Connection reset by peer)
> May 8 04:03:36 hawksvr5 kernel: BUG: unable to handle kernel NULL
> pointer dereference at virtual address 000001b0
> May 8 04:03:36 hawksvr5 kernel: printing eip:
> May 8 04:03:36 hawksvr5 kernel: c0496d32
> May 8 04:03:36 hawksvr5 kernel: *pde = 0b00f001
> May 8 04:03:36 hawksvr5 kernel: Oops: 0000 [#1]
> May 8 04:03:36 hawksvr5 kernel: SMP
> May 8 04:03:36 hawksvr5 kernel: last sysfs file: /block/sda/sda2/stat
> May 8 04:03:36 hawksvr5 kernel: Modules linked in: vmnet(U) parport_pc
> vmmon(U) vfat fat loop nls_utf8 cifs nfsd exportfs lockd nfs_acl lp
> deflate zlib_deflate twofish serpent blowfish sha256 crypto_null aes des
> xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 eeprom i2c_isa tun
> parport sunrpc dm_mod video button battery ac ipv6 uhci_hcd ehci_hcd
> e752x_edac edac_mc hw_random i2c_i801 i2c_core
> e1000 ext3 jbd megaraid_mbox megaraid_mm sd_mod scsi_mod
> May 8 04:03:36 hawksvr5 kernel: CPU: 3
> May 8 04:03:36 hawksvr5 kernel: EIP: 0060:[<c0496d32>] Tainted: P
> VLI
> May 8 04:03:36 hawksvr5 kernel: EFLAGS: 00010246
> (2.6.17-1.2142_FC4smp #1)
> May 8 04:03:36 hawksvr5 kernel: EIP is at show_map_internal+0x95/0x21a
> May 8 04:03:36 hawksvr5 kernel: eax: 00000000 ebx: e1db8f40 ecx:
> 00000000
> edx: d5b62130
> May 8 04:03:36 hawksvr5 su(pam_unix)[31718]: session closed for user
> ccm_root
> May 8 04:03:36 hawksvr5 kernel: esi: 00000070 edi: 00100071 ebp:
> dec72a78
> esp: e3bf8f10
> May 8 04:03:36 hawksvr5 su(pam_unix)[11781]: session opened for user
> ccm_root by (uid=0)
> May 8 04:03:36 hawksvr5 kernel: ds: 007b es: 007b ss: 0068
> May 8 04:03:37 hawksvr5 kernel: Process lsof (pid: 11707,
> threadinfo=e3bf8000 task=c36d19f0)
> May 8 04:03:37 hawksvr5 kernel: Stack: 00000000 00000001 00000008
> 00122000 00000078 d5b62130 e20038c0 dcecb180
> May 8 04:03:37 hawksvr5 kernel: 002add28 c0496f01 c06ff310
> e1db8f40 dec72a78 00000142 c0483a3b 00000400
> May 8 04:03:37 hawksvr5 kernel: b7f60000 eb378ec0 e1db8f60
> 00000000 00000005 00000000 00000004 00000000
> May 8 04:03:38 hawksvr5 kernel: Call Trace:
> May 8 04:03:38 hawksvr5 kernel: <c0496f01> m_next+0x12/0x44
> <c0483a3b> seq_read+0x198/0x268
> May 8 04:03:38 hawksvr5 kernel: <c04838a3> seq_read+0x0/0x268
> <c0466efc> vfs_read+0xa4/0x146
> May 8 04:03:38 hawksvr5 kernel: <c04678bb> sys_read+0x3c/0x63
> <c0403d2f> syscall_call+0x7/0xb
> May 8 04:03:38 hawksvr5 kernel: Code: 24 0c 89 f8 24 80 3c 01 19 f6 83
> e6 fd 83 c6 73 f7 c7 04 00 00 00 75 1e 83 3d 0c d2 7f c0 00 75 1f 8b 54
> 24 14 8b 82 90 00 00 00 <8b> 80 b0 01 00 00 39 45 04 73 0a c7 44 24 10
> 78 00 00 00 eb 08
> May 8 04:03:39 hawksvr5 kernel: EIP: [<c0496d32>]
> show_map_internal+0x95/0x21a
> SS:ESP 0068:e3bf8f10
> May 8 04:03:39 hawksvr5 kernel: <0>Fatal exception: panic in 5 seconds
> May 8 07:46:44 hawksvr5 syslogd 1.4.1: restart.
>
> I love the way it "planned" to panic in 5 seconds!
>
> The only other log record at 04:03 is /var/log/rkhunter.log:-
>
> [04:03:34] -------------------------- Open files tests
> ---------------------------
> [04:03:34] Scanning running processes...
> (END)
>
> Which usually goes on:-
>
> [04:03:03] -------------------------- Open files tests
> ---------------------------
> [04:03:03] Scanning running processes... OK
> [04:03:04] Scanned for
> 'backdoor|adore.so|mod_rootme.so|phide_mod.o|lbk.ko|vlogger.o|cleaner.o|mod_klgr.o|hydra|hydra.restore'
> [04:03:04] ----------------------- Login backdoors check
> ------------------------
>
> [EMAIL PROTECTED] <javascript:cia("new","[EMAIL PROTECTED]")> ~]# rkhunter
> --version
> Rootkit Hunter 1.2.9
> [EMAIL PROTECTED] <javascript:cia("new","[EMAIL PROTECTED]")> ~]# uname -a
> Linux hawksvr5.linux.local 2.6.17-1.2142_FC4smp #1 SMP Tue Jul 11
> 22:57:02 EDT 2006 i686 i686 i386 GNU/Linux
>
>
> Any ideas?
A kernel panic triggered by a userland application constitutes a bug in
the kernel AFAIK. Why exactly do you believe this is a problem caused by
rkhunter?
Fedora Core 4 is an EOL'd release by the way. Only Fedora Core 5 and 6
are supported at the moment and even Fedora Core 5 will be EOL at the
end of next month (around the time Fedora 7 will be released).
Nils Breunese.
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
