[Rkhunter-users] Kernel panic - possibly rkhunter's fault
Hi This is how our server failed this morning:- May 8 04:01:30 hawksvr5 smbd[948]: Error writing 4 bytes to client. -1. (Connection reset by peer) May 8 04:03:36 hawksvr5 kernel: BUG: unable to handle kernel NULL pointer dereference at virtual address 01b0 May 8 04:03:36 hawksvr5 kernel: printing eip: May 8 04:03:36 hawksvr5 kernel: c0496d32 May 8 04:03:36 hawksvr5 kernel: *pde = 0b00f001 May 8 04:03:36 hawksvr5 kernel: Oops: [#1] May 8 04:03:36 hawksvr5 kernel: SMP May 8 04:03:36 hawksvr5 kernel: last sysfs file: /block/sda/sda2/stat May 8 04:03:36 hawksvr5 kernel: Modules linked in: vmnet(U) parport_pc vmmon(U) vfat fat loop nls_utf8 cifs nfsd exportfs lockd nfs_acl lp deflate zlib_deflate twofish serpent blowfish sha256 crypto_null aes des xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 eeprom i2c_isa tun parport sunrpc dm_mod video button battery ac ipv6 uhci_hcd ehci_hcd e752x_edac edac_mc hw_random i2c_i801 i2c_core e1000 ext3 jbd megaraid_mbox megaraid_mm sd_mod scsi_mod May 8 04:03:36 hawksvr5 kernel: CPU:3 May 8 04:03:36 hawksvr5 kernel: EIP:0060:[c0496d32]Tainted: P VLI May 8 04:03:36 hawksvr5 kernel: EFLAGS: 00010246 (2.6.17-1.2142_FC4smp #1) May 8 04:03:36 hawksvr5 kernel: EIP is at show_map_internal+0x95/0x21a May 8 04:03:36 hawksvr5 kernel: eax: ebx: e1db8f40 ecx: edx: d5b62130 May 8 04:03:36 hawksvr5 su(pam_unix)[31718]: session closed for user ccm_root May 8 04:03:36 hawksvr5 kernel: esi: 0070 edi: 00100071 ebp: dec72a78 esp: e3bf8f10 May 8 04:03:36 hawksvr5 su(pam_unix)[11781]: session opened for user ccm_root by (uid=0) May 8 04:03:36 hawksvr5 kernel: ds: 007b es: 007b ss: 0068 May 8 04:03:37 hawksvr5 kernel: Process lsof (pid: 11707, threadinfo=e3bf8000 task=c36d19f0) May 8 04:03:37 hawksvr5 kernel: Stack: 0001 0008 00122000 0078 d5b62130 e20038c0 dcecb180 May 8 04:03:37 hawksvr5 kernel:002add28 c0496f01 c06ff310 e1db8f40 dec72a78 0142 c0483a3b 0400 May 8 04:03:37 hawksvr5 kernel:b7f6 eb378ec0 e1db8f60 0005 0004 May 8 04:03:38 hawksvr5 kernel: Call Trace: May 8 04:03:38 hawksvr5 kernel: c0496f01 m_next+0x12/0x44 c0483a3b seq_read+0x198/0x268 May 8 04:03:38 hawksvr5 kernel: c04838a3 seq_read+0x0/0x268 c0466efc vfs_read+0xa4/0x146 May 8 04:03:38 hawksvr5 kernel: c04678bb sys_read+0x3c/0x63 c0403d2f syscall_call+0x7/0xb May 8 04:03:38 hawksvr5 kernel: Code: 24 0c 89 f8 24 80 3c 01 19 f6 83 e6 fd 83 c6 73 f7 c7 04 00 00 00 75 1e 83 3d 0c d2 7f c0 00 75 1f 8b 54 24 14 8b 82 90 00 00 00 8b 80 b0 01 00 00 39 45 04 73 0a c7 44 24 10 78 00 00 00 eb 08 May 8 04:03:39 hawksvr5 kernel: EIP: [c0496d32] show_map_internal+0x95/0x21a SS:ESP 0068:e3bf8f10 May 8 04:03:39 hawksvr5 kernel: 0Fatal exception: panic in 5 seconds May 8 07:46:44 hawksvr5 syslogd 1.4.1: restart. I love the way it planned to panic in 5 seconds! The only other log record at 04:03 is /var/log/rkhunter.log:- [04:03:34] -- Open files tests --- [04:03:34] Scanning running processes... (END) Which usually goes on:- [04:03:03] -- Open files tests --- [04:03:03] Scanning running processes... OK [04:03:04] Scanned for 'backdoor|adore.so|mod_rootme.so|phide_mod.o|lbk.ko|vlogger.o|cleaner.o|mod_klgr.o|hydra|hydra.restore' [04:03:04] --- Login backdoors check [EMAIL PROTECTED] ~]# rkhunter --version Rootkit Hunter 1.2.9 [EMAIL PROTECTED] ~]# uname -a Linux hawksvr5.linux.local 2.6.17-1.2142_FC4smp #1 SMP Tue Jul 11 22:57:02 EDT 2006 i686 i686 i386 GNU/Linux Any ideas? Mike YatesCMBCS (ISSG) IT Support Engineer Hawkgrove Ltd - Software Systems Design 2, The Business Courtyard, Marl Pits Lane, Trudoxhill, Frome, Somerset, BA11 5DL, UK +44 (0)1373 837900 fax: +44 (0)8700 518155 Registered in England: 2756481 VAT Reg: UK 601 1137 11 Registered Office: NSO Associates LLP, 75 Springfield Road, Chelmsford, Essex CM2 6JB All e-mail is subject to contract and is not intended to create a legally binding agreement. Hawkgrove Ltd will only be bound by an agreement in writing signed by an authorized signatory. All outgoing email is scanned by Symantec Corporate Antivirus.- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Kernel panic - possibly rkhunter's fault
Mike Yates wrote: Hi This is how our server failed this morning:- May 8 04:01:30 hawksvr5 smbd[948]: Error writing 4 bytes to client. -1. (Connection reset by peer) May 8 04:03:36 hawksvr5 kernel: BUG: unable to handle kernel NULL pointer dereference at virtual address 01b0 May 8 04:03:36 hawksvr5 kernel: printing eip: May 8 04:03:36 hawksvr5 kernel: c0496d32 May 8 04:03:36 hawksvr5 kernel: *pde = 0b00f001 May 8 04:03:36 hawksvr5 kernel: Oops: [#1] May 8 04:03:36 hawksvr5 kernel: SMP May 8 04:03:36 hawksvr5 kernel: last sysfs file: /block/sda/sda2/stat May 8 04:03:36 hawksvr5 kernel: Modules linked in: vmnet(U) parport_pc vmmon(U) vfat fat loop nls_utf8 cifs nfsd exportfs lockd nfs_acl lp deflate zlib_deflate twofish serpent blowfish sha256 crypto_null aes des xfrm4_tunnel tunnel4 ipcomp esp4 ah4 af_key autofs4 eeprom i2c_isa tun parport sunrpc dm_mod video button battery ac ipv6 uhci_hcd ehci_hcd e752x_edac edac_mc hw_random i2c_i801 i2c_core e1000 ext3 jbd megaraid_mbox megaraid_mm sd_mod scsi_mod May 8 04:03:36 hawksvr5 kernel: CPU:3 May 8 04:03:36 hawksvr5 kernel: EIP:0060:[c0496d32]Tainted: P VLI May 8 04:03:36 hawksvr5 kernel: EFLAGS: 00010246 (2.6.17-1.2142_FC4smp #1) May 8 04:03:36 hawksvr5 kernel: EIP is at show_map_internal+0x95/0x21a May 8 04:03:36 hawksvr5 kernel: eax: ebx: e1db8f40 ecx: edx: d5b62130 May 8 04:03:36 hawksvr5 su(pam_unix)[31718]: session closed for user ccm_root May 8 04:03:36 hawksvr5 kernel: esi: 0070 edi: 00100071 ebp: dec72a78 esp: e3bf8f10 May 8 04:03:36 hawksvr5 su(pam_unix)[11781]: session opened for user ccm_root by (uid=0) May 8 04:03:36 hawksvr5 kernel: ds: 007b es: 007b ss: 0068 May 8 04:03:37 hawksvr5 kernel: Process lsof (pid: 11707, threadinfo=e3bf8000 task=c36d19f0) May 8 04:03:37 hawksvr5 kernel: Stack: 0001 0008 00122000 0078 d5b62130 e20038c0 dcecb180 May 8 04:03:37 hawksvr5 kernel:002add28 c0496f01 c06ff310 e1db8f40 dec72a78 0142 c0483a3b 0400 May 8 04:03:37 hawksvr5 kernel:b7f6 eb378ec0 e1db8f60 0005 0004 May 8 04:03:38 hawksvr5 kernel: Call Trace: May 8 04:03:38 hawksvr5 kernel: c0496f01 m_next+0x12/0x44 c0483a3b seq_read+0x198/0x268 May 8 04:03:38 hawksvr5 kernel: c04838a3 seq_read+0x0/0x268 c0466efc vfs_read+0xa4/0x146 May 8 04:03:38 hawksvr5 kernel: c04678bb sys_read+0x3c/0x63 c0403d2f syscall_call+0x7/0xb May 8 04:03:38 hawksvr5 kernel: Code: 24 0c 89 f8 24 80 3c 01 19 f6 83 e6 fd 83 c6 73 f7 c7 04 00 00 00 75 1e 83 3d 0c d2 7f c0 00 75 1f 8b 54 24 14 8b 82 90 00 00 00 8b 80 b0 01 00 00 39 45 04 73 0a c7 44 24 10 78 00 00 00 eb 08 May 8 04:03:39 hawksvr5 kernel: EIP: [c0496d32] show_map_internal+0x95/0x21a SS:ESP 0068:e3bf8f10 May 8 04:03:39 hawksvr5 kernel: 0Fatal exception: panic in 5 seconds May 8 07:46:44 hawksvr5 syslogd 1.4.1: restart. I love the way it planned to panic in 5 seconds! The only other log record at 04:03 is /var/log/rkhunter.log:- [04:03:34] -- Open files tests --- [04:03:34] Scanning running processes... (END) Which usually goes on:- [04:03:03] -- Open files tests --- [04:03:03] Scanning running processes... OK [04:03:04] Scanned for 'backdoor|adore.so|mod_rootme.so|phide_mod.o|lbk.ko|vlogger.o|cleaner.o|mod_klgr.o|hydra|hydra.restore' [04:03:04] --- Login backdoors check [EMAIL PROTECTED] javascript:cia(new,[EMAIL PROTECTED]) ~]# rkhunter --version Rootkit Hunter 1.2.9 [EMAIL PROTECTED] javascript:cia(new,[EMAIL PROTECTED]) ~]# uname -a Linux hawksvr5.linux.local 2.6.17-1.2142_FC4smp #1 SMP Tue Jul 11 22:57:02 EDT 2006 i686 i686 i386 GNU/Linux Any ideas? A kernel panic triggered by a userland application constitutes a bug in the kernel AFAIK. Why exactly do you believe this is a problem caused by rkhunter? Fedora Core 4 is an EOL'd release by the way. Only Fedora Core 5 and 6 are supported at the moment and even Fedora Core 5 will be EOL at the end of next month (around the time Fedora 7 will be released). Nils Breunese. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
Re: [Rkhunter-users] Kernel panic - possibly rkhunter's fault
On Tue, 2007-05-08 at 13:03 +0200, Nils Breunese (Lemonbit Internet) wrote: Mike Yates wrote: [snipped] May 8 04:03:37 hawksvr5 kernel: Process lsof (pid: 11707, threadinfo=e3bf8000 task=c36d19f0) A kernel panic triggered by a userland application constitutes a bug in the kernel AFAIK. Why exactly do you believe this is a problem caused by rkhunter? I wondered this, but it seems the currently running process was lsof. I assume then this was from one of the RKH tests, and not just some user running it. However, I agree that RKH itself is not likely to cause a panic because it is a shell script running other binary programs. Lsof may be the cause. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users