On Saturday 04 February 2006 05:35, Marc Shapiro wrote:
[snip]
A quick Google around "FUCK: Got signal 11 while manipulating kernel!" throws
up references to the the SucKIT rootkit. The following is from a CERN
advisory. Maybe worth checking.
"Here is a simple recipe to detect the SucKIT rootkit, as it has been
found on CERN machines. It may miss some other types of installations
but it should produce no false positive.
Just run:
# ls -li /sbin/init /sbin/telinit
Here is the output on a normal machine:
304579 -rwxr-xr-x 1 root root 26920 Mar 14 2002 /sbin/init*
304587 lrwxrwxrwx 1 root root 4 Dec 2 13:18 /sbin/telinit
-> init*
Here is the output on a compromised machine:
85133 -rwxr-xr-x 1 root root 25636 Mar 26 20:03 /sbin/init
85133 -rwxr-xr-x 1 root root 25636 Mar 26 20:03 /sbin/telinit
In the second case, telinit is a real file (not a symlink) and its time
is the time of the rootkit installation. Note also the incorrect
information: both files have the same inode number but a reference count
of one, this comes from the kernel module hiding the real information."
Apologies if this is a false alarm. However, what you've found so far doesn't
look good. You could also try going
sudo netstat -tupl | grep LISTEN | grep -v unix
and seeing whether anything is listening that you don't recognize.
:)
Fish
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
