From: Keith Whyte <keith@media-solutions.ie>
To: Frank van Maarseveen <frankvm@xs4all.nl>
Cc: linux-kernel@vger.kernel.org
Subject: Re: 2.4.18 fork & defunct child => system is hacked
Date: Wed, 19 Nov 2003 13:45:13 -0600 [thread overview]
Message-ID: <3FBBC849.5060608@media-solutions.ie> (raw)
In-Reply-To: <20031118103907.GA23644@iapetus.localdomain>
Frank van Maarseveen wrote:
>On Mon, Nov 17, 2003 at 06:26:00PM -0600, Keith Whyte wrote:
>
>
>>{ strace listing deleted, see
>>http://marc.theaimsgroup.com/?l=linux-kernel&m=106905386725308&w=2 }
>>
>>
>
>First of all, /bin/true doing a fork() basically means you've
>been hacked: there should not be any such code in there. The
>open("/proc/17904///////////exe" is anouther piece of clear evidence
>that your system has been hacked.
>
>Why the additional slashes?
>
Is it at all possible that this behaviour is due to strace?
I have just installed under a fresh directory, from the slackware
packages, the glibc-so libs, a few progs, strace, and chroot'ed into
that system.
I still get the same behaviour. So does that mean it _has_ to be the
kernel that is at fault?
a cmp on the distro kernel and the one on my system does show this..:
cmp -b -l /boot/vmlinuz /home/r2/boot/vmlinuz
499 1 ^A 0 ^@
but that is the rootflags, no? I must have set it ro before.
I am going to compile a kernel on a clean machine and boot the machine
with that as soon as i can get somebody down there to monitor it in case
it doesn't come back up with the new kernel.
>I suspect a library/or LD_PRELOAD hack which simply encodes the getpid()
>return value in decimal notation and stores it right into a static
>buffer containing
>
> "/proc//////////////////exe"
>
>because it can't use sprintf at that point for some reason (maybe
>just because it is a library/LD_PRELOAD hack).
>
>
>
>
I think I vaguely know what your saying here, but why? why would it have
happened as soon as the machine was first brought up.. (after the
initial install), then agian after a reinstall, and then go away. why
then would it happen again some months later? and how would they have
hacked it? it only runs ssh and apache. no sendmail, no bind, none of
those usual culprits. apache is not running as root. the only other
listener is identd.
it also runs nfsd, but connections are firewalled, from anything other
than a 192.168.0.1 address configured on the second NIC. ah, but then i
did accidentally open the firewall recently for a few days.
hmmm.
next prev parent reply other threads:[~2003-11-19 19:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-11-17 7:18 2.4.18 fork & defunct child Keith Whyte
[not found] ` <20031117184732.GA531@louise.pinerecords.com>
2003-11-18 0:41 ` Keith Whyte
[not found] ` <3FB8E40F.EF61CA7@gmx.de>
2003-11-18 0:26 ` Keith Whyte
2003-11-18 1:00 ` Maciej Zenczykowski
2003-11-18 10:39 ` 2.4.18 fork & defunct child => system is hacked Frank van Maarseveen
2003-11-19 19:45 ` Keith Whyte [this message]
2003-11-20 2:42 ` solution: 2.4.18 fork & defunct child Keith Whyte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3FBBC849.5060608@media-solutions.ie \
--to=keith@media-solutions.ie \
--cc=frankvm@xs4all.nl \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox