[rlug] Re: LKM rootkit... s-a intalnit cineva cu problema asta ?

Wed, 06 Jul 2005 08:20:32 -0700 

Alexandru Stefan-Voicu wrote:

>Am luat chkrootkit nou, am recompilat...
>
>"chkrootkit -x lkm" arata cam asa :
>
>nova:/share/chkrootkit-0.45# ./chkrootkit -x lkm
>ROOTDIR is `/'
>###
>### Output of: ./chkproc -v -v -p 2
>###
>CWD  2405: /var/lib/mysql
>EXE  2405: /usr/sbin/mysqld
>CWD  2406: /var/lib/mysql
>EXE  2406: /usr/sbin/mysqld
>./chkrootkit: line 1:  2458 Segmentation fault      ./chkproc -v -v -p 2
>
>Daca inchid mysql-ul, tot da segfault, dar nu mai returneaza nici un output...
>
>Dupa ceva investigatii, prin /var/log/messages apare asa ceva la executia lui 
>"chkproc" : 
>
>Jul  6 17:13:46 nova kernel: c01690e3
>Jul  6 17:13:46 nova kernel: PREEMPT
>Jul  6 17:13:46 nova kernel: Modules linked in: ipt_IMQ imq
>Jul  6 17:13:46 nova kernel: CPU:    0
>Jul  6 17:13:46 nova kernel: EIP:    0060:[<c01690e3>]    Tainted: GF     VLI
>Jul  6 17:13:46 nova kernel: EFLAGS: 00010202   
>(2.6.11.12nova.scieron.com14/06/2005)
>Jul  6 17:13:46 nova kernel: EIP is at __d_lookup+0x73/0x1a0
>Jul  6 17:13:46 nova kernel: eax: 00000001   ebx: 00000008   ecx: 00000001   
>edx: c64b8000
>Jul  6 17:13:46 nova kernel: esi: c64b8f78   edi: 0000ffff   ebp: 08ace279   
>esp: c64b8dbc
>Jul  6 17:13:46 nova kernel: ds: 007b   es: 007b   ss: 0068
>Jul  6 17:13:46 nova kernel: Process chkproc (pid: 2505, threadinfo=c64b8000 
>task=c25cf0e0)
>Jul  6 17:13:46 nova kernel: Stack: c036ebc8 c016cec4 00000000 c317e006 
>08ace279 00000005 c64b8e38 c64b8f78
>Jul  6 17:13:46 nova kernel:        cffe4aa0 c64b8f30 c015e478 cffe16b4 
>c64b8f30 c64b8e38 c127ddd4 c317e00b
>Jul  6 17:13:46 nova kernel:        c64b8f78 c015ec7b c64b8f78 c64b8f30 
>c64b8e38 cffe16b4 c92b973c c0148e5c
>
>...etc etc etc.
>
>   Cel mai probabil este de la patch-ul cu IMQ, modprobe imi spunea ca modulul 
> e "invalid" cand incercam "modprobe ipt_IMQ", si nu a mers decat cu "modprobe 
> -f ",
>
ce versiune de IMQ ai pus? 2.6.9-imq se aplica fara probleme.

> iar pe undeva prin dmesg la boot-are ma anunta clar ca kernelul este 
> "tainted". 
>
despre imq nu zice ca e tainted

>Sa speram ca numai asta e problema, nu am porturi deschise altceva decat cele 
>strict necesare si alea puse pe alte "numere" :)
>  
>
io zic sa bootezi de pe un cd si sa rulezi chestiile de test. incepind 
cu un memtest dar neuitind si cele de cauta lkm

--- 
Detalii despre listele noastre de mail: http://www.lug.ro/

Raspunde prin e-mail lui