[rlug] LKM rootkit... s-a intalnit cineva cu problema asta?

Wed, 06 Jul 2005 14:42:54 -0700 

Hello lonely wolf,

Aici spune despre IMQ si de tainting

cat /var/log/dmesg

.....
imq: no version magic, tainting kernel.
IMQ starting with 2 devices...
IMQ driver loaded successfully.
        Hooking IMQ before NAT on PREROUTING.
        Hooking IMQ after NAT on POSTROUTING.
ipt_IMQ: no version magic, tainting kernel.
...

2.6.9 am si pus, pe kernel 2.6.11.12
IMQ-ul merge, nu e problema... naiba stie, o fi modutils-ul mai vechi
In fine, o sa-i fac cateva teste, desi eu cred 90% ca de la asta e... o sa 
incerc sa dau remove la modulul de IMQ si sa-i mai dau un chkrootkit

  
======= At 2005-07-06, 17:19:18 you wrote: =======

>Alexandru Stefan-Voicu wrote:
>
>>Am luat chkrootkit nou, am recompilat...
>>
>>"chkrootkit -x lkm" arata cam asa :
>>
>>nova:/share/chkrootkit-0.45# ./chkrootkit -x lkm
>>ROOTDIR is `/'
>>###
>>### Output of: ./chkproc -v -v -p 2
>>###
>>CWD  2405: /var/lib/mysql
>>EXE  2405: /usr/sbin/mysqld
>>CWD  2406: /var/lib/mysql
>>EXE  2406: /usr/sbin/mysqld
>>./chkrootkit: line 1:  2458 Segmentation fault      ./chkproc -v -v -p 2
>>
>>Daca inchid mysql-ul, tot da segfault, dar nu mai returneaza nici un output...
>>
>>Dupa ceva investigatii, prin /var/log/messages apare asa ceva la executia lui 
>>"chkproc" : 
>>
>>Jul  6 17:13:46 nova kernel: c01690e3
>>Jul  6 17:13:46 nova kernel: PREEMPT
>>Jul  6 17:13:46 nova kernel: Modules linked in: ipt_IMQ imq
>>Jul  6 17:13:46 nova kernel: CPU:    0
>>Jul  6 17:13:46 nova kernel: EIP:    0060:[<c01690e3>]    Tainted: GF     VLI
>>Jul  6 17:13:46 nova kernel: EFLAGS: 00010202   
>>(2.6.11.12nova.scieron.com14/06/2005)
>>Jul  6 17:13:46 nova kernel: EIP is at __d_lookup+0x73/0x1a0
>>Jul  6 17:13:46 nova kernel: eax: 00000001   ebx: 00000008   ecx: 00000001   
>>edx: c64b8000
>>Jul  6 17:13:46 nova kernel: esi: c64b8f78   edi: 0000ffff   ebp: 08ace279   
>>esp: c64b8dbc
>>Jul  6 17:13:46 nova kernel: ds: 007b   es: 007b   ss: 0068
>>Jul  6 17:13:46 nova kernel: Process chkproc (pid: 2505, threadinfo=c64b8000 
>>task=c25cf0e0)
>>Jul  6 17:13:46 nova kernel: Stack: c036ebc8 c016cec4 00000000 c317e006 
>>08ace279 00000005 c64b8e38 c64b8f78
>>Jul  6 17:13:46 nova kernel:        cffe4aa0 c64b8f30 c015e478 cffe16b4 
>>c64b8f30 c64b8e38 c127ddd4 c317e00b
>>Jul  6 17:13:46 nova kernel:        c64b8f78 c015ec7b c64b8f78 c64b8f30 
>>c64b8e38 cffe16b4 c92b973c c0148e5c
>>
>>...etc etc etc.
>>
>>   Cel mai probabil este de la patch-ul cu IMQ, modprobe imi spunea ca 
>> modulul e "invalid" cand incercam "modprobe ipt_IMQ", si nu a mers decat cu 
>> "modprobe -f ",
>>
>ce versiune de IMQ ai pus? 2.6.9-imq se aplica fara probleme.
>
>> iar pe undeva prin dmesg la boot-are ma anunta clar ca kernelul este 
>> "tainted". 
>>
>despre imq nu zice ca e tainted
>
>>Sa speram ca numai asta e problema, nu am porturi deschise altceva decat cele 
>>strict necesare si alea puse pe alte "numere" :)
>>  
>>
>io zic sa bootezi de pe un cd si sa rulezi chestiile de test. incepind 
>cu un memtest dar neuitind si cele de cauta lkm
>
>--- 
>Detalii despre listele noastre de mail: http://www.lug.ro/
>
>
>

= = = = = = = = = = = = = = = = = = = =
                        
Alexandru Stefan-Voicu
[EMAIL PROTECTED]
2005-07-07



--- 
Detalii despre listele noastre de mail: http://www.lug.ro/

Raspunde prin e-mail lui