Hello,
> Looks almost same here:
Yes, but without those lines
> open("/proc/uptime", O_RDONLY) = 3
> open("/proc/4215/exe", O_RDONLY) = 3
This is in all binary's i have checked (echo, ifconfig, ...)
> The gzip thing looks really weird. Does chkrootkit show any evidents?
> maybe gzip got broken somehow.
No, chrootkit doesn't find anything. I got this some weeks ago, but couldn't
find
anything on the box, so i thought it was just broken an re-installed. But
the same
box was hit again this week and an other one to, which got also all websites
defaced tonight.
And again, the only thing i could find is gzip not working.
> I would build some checksum database of /bin,/sbin,/usr/bin,/usr/sbin off
a
> definitely not infected machine (using tripwire or aide), burn the
> database(s) and the binaries to check/build them on a CDROM and compare
that
> with the weird system's binaries.
I checked with md5sum, the binarys differ to other machines who look clean.
Very strange: if i ftp the 'gzip' Binary from a clean Machine to the
'infected' it is
then changed to the same md5sum that the 'gzip' binary has on the 'infected'
Machine.
> _really_ check if something seriuos has changed without taking the
machines
> in question off (and check them with e.g. chkrootkit from a knoppix cd)
I already did this. I bootet from the woody install-cd and did a chroot to
the system.
the effects are still there, so this should be nothing running in the
kernel.
I reinstalled the Machines (got the old disks here for further research) so
this is not urgent.
I just need to know what happened, because i would like the other boxes here
to stay clean ;-)
