From owner-freebsd-security  Mon Oct  7 13:32:58 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7D4A837B401
	for <freebsd-security@FreeBSD.ORG>; Mon,  7 Oct 2002 13:32:54 -0700 (PDT)
Received: from gunjin.wccnet.org (gunjin.wccnet.org [198.111.176.99])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F26B443E6E
	for <freebsd-security@FreeBSD.ORG>; Mon,  7 Oct 2002 13:32:51 -0700 (PDT)
	(envelope-from anthony@gunjin.wccnet.org)
Received: from gunjin.wccnet.org (localhost.rexroof.com [127.0.0.1])
	by gunjin.wccnet.org (8.12.3/8.12.2) with ESMTP id g97KeuTU065662;
	Mon, 7 Oct 2002 16:40:56 -0400 (EDT)
Received: (from anthony@localhost)
	by gunjin.wccnet.org (8.12.3/8.12.3/Submit) id g97Keuws065660;
	Mon, 7 Oct 2002 16:40:56 -0400 (EDT)
Date: Mon, 7 Oct 2002 16:40:55 -0400
From: Anthony Schneider <anthony@x-anthony.com>
To: Riley <rileyjmc@pacbell.net>
Cc: FreeBSD Security <freebsd-security@FreeBSD.ORG>
Subject: Re: chkrootkit help
Message-ID: <20021007204055.GA65040@x-anthony.com>
References: <HEEELMCBPANKADCOBOFPKEPCGPAA.rileyjmc@pacbell.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <HEEELMCBPANKADCOBOFPKEPCGPAA.rileyjmc@pacbell.net>
User-Agent: Mutt/1.4i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

If you've been nailed by a rootkit, you should not trust netstat,
ifconfig, ps, etc anymore.  Bring in the binaries from another
similar system, because rootkits will generally have replacements
which supress the output that they don't want you to see (like
open ports, promiscuous mode, etc., although promiscuous mode
i believe can be overcome by simply writing over a small chunk
of kernel memory whilst leaving the interface still promiscuous).
you might also try portscanning the machine.  and then, after
you check these things out, i suggest you do a reinstall.
good luck.
-Anthony.

On Mon, Oct 07, 2002 at 11:47:15AM -0700, Riley wrote:
> Hi all,
> 
> (Let me know if this belongs in -questions)
> 
> I could sure use some help interpreting this.  A 4.6.2-RELEASE-p2 system
> (running bind 8.3.3-REL and sendmail 8.12.3) started getting syslog messages
> like:
> 
> /kernel: file: table is full
> 
> along with related messages, then a core dump.  (syslog for this date is
> below.)
> 
> I took this as a side effect of a recent spamassassin install/upgrade (2.41)
> and increased kern.maxfiles to 8192 and max.vnodes to 16384.  As the system
> started to recover for fun I ran chkrootkit which came back with this:
> 
> Checking `bindshell'... INFECTED (PORTS:  114)
> 
> A few minutes later and ever since chkrootkit returns:
> 
> Checking `bindshell'... not infected
> 
> netstat -an  doesn't show anything on 114 and nothing unusual.
> 
> The system is on a dmz with ports 25, 53 and 110 mapped through.  Running
> chkrootkit on the firewall reported this:
> 
> Checking `bindshell'... not infected
> Checking `lkm'... not tested: can't exec ./chkproc
> Checking `rexedcs'... not found
> Checking `sniffer'...
> xl0 is not promisc
> xl2 is not promisc
> 
> I'm not sure what to think about "can't exec ./chkproc".  Also the xl1
> interface is not reported in the output and is the dmz interface that the
> above machine is on.  ifconfig shows:
> 
> xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 10.100.100.1 netmask 0xffffff00 broadcast 10.100.100.255
>         inet6 fe80::260:8ff:fe31:e4b0%xl1 prefixlen 64 scopeid 0x2
>         ether 00:60:08:31:e4:b0
>         media: Ethernet autoselect (10baseT/UTP)
>         status: active
> 
> Any comments would be greatly appreciated.
> 
> Thanks,
> 
> Riley
> 
> 
> "That which does not kill us makes us stranger."
>                                              --Kimchi
> 
> 
> Oct  7 03:13:56 aji sendmail[91248]: g97A2rnm091248: SYSERR(root): collect:
> I/O  error on connection from [203.48.40.139], from=<News@ineedhits.com>
> Oct  7 08:45:13 aji /kernel: file: table is full
> Oct  7 08:45:14 aji last message repeated 38 times
> Oct  7 08:46:27 aji last message repeated 35 times
> Oct  7 09:14:05 aji sendmail[93085]: g97G8Xnm093085: SYSERR(root): collect:
> I/O error on connection from adsl-63-rev-addr,
> from=<root@someotherserver.dom>
> Oct  7 09:22:17 aji /kernel: file: table is full
> Oct  7 09:22:20 aji last message repeated 17 times
> Oct  7 09:23:21 aji last message repeated 16 times
> Oct  7 09:23:23 aji sendmail[93320]: g97GEKpG093112: SYSERR(UID0):
> <local@email.addr>... openmailer(local): pipe (to mailer): Too many open
> files in system
> Oct  7 09:23:25 aji sendmail[93112]: g97GEKpI093112: SYSERR(root): Cannot
> open hash database /etc/mail/aliases.db: Too many open files in system
> Oct  7 09:23:22 aji inetd[93322]: /etc/spwd.db: Too many open files in
> system
> Oct  7 09:23:28 aji inetd[93322]: pop3/tcp: root: no such user
> Oct  7 09:25:42 aji /kernel: file: table is full
> Oct  7 09:25:43 aji last message repeated 4 times
> Oct  7 09:29:58 aji /kernel: file: table is full
> Oct  7 09:30:44 aji last message repeated 107 times
> Oct  7 09:30:53 aji /kernel: pid 93340 (cron), uid 0: exited on signal 11
> (core
>  dumped)
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message