From owner-freebsd-security Mon Oct 7 13:36:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E927537B401 for ; Mon, 7 Oct 2002 13:36:13 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8749C43E6A for ; Mon, 7 Oct 2002 13:36:13 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 3CCEB154DB; Mon, 7 Oct 2002 13:33:04 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 3BEA4154D5; Mon, 7 Oct 2002 13:33:04 -0700 (PDT) Date: Mon, 7 Oct 2002 13:33:04 -0700 (PDT) From: Mike Hoskins To: Riley Cc: FreeBSD Security Subject: Re: chkrootkit help In-Reply-To: Message-ID: <20021007131203.L83742-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 7 Oct 2002, Riley wrote: > I could sure use some help interpreting this. A 4.6.2-RELEASE-p2 system > (running bind 8.3.3-REL and sendmail 8.12.3) started getting syslog messages > like: I haven't kept up with Sendmail since Postfix made its debut, but I don't believe there's anything wrong with BIND 8.3.3 (yet). > /kernel: file: table is full If you haven't tuned this server already, this could be quite common and mundane. > I took this as a side effect of a recent spamassassin install/upgrade (2.41) > and increased kern.maxfiles to 8192 and max.vnodes to 16384. I'm not sure how busy this machine is (sounds like it's a firewall and mailserver+antivirus), but I set the following in /boot/loader.conf on my busier servers: kern.maxusers=256 kern.ipc.nmbclusters=16384 This is a machine with 1GB of RAM. This results in the following sysctl values: kern.maxfiles: 8232 kern.maxfilesperproc: 7408 kern.maxvnodes: 68387 Note "maxfilesperproc". That may be important to you. > Checking `bindshell'... INFECTED (PORTS: 114) > netstat -an doesn't show anything on 114 and nothing unusual. > I'm not sure what to think about "can't exec ./chkproc". First, from chkrootkit.org: Q. Which commands does chkrootkit use? A. The following commands are used by the chkrootkit script: awk, cut, echo, egrep, find, head, id, ls, netstat, ps, strings, sed, uname If you suspect you've been compromised... It would be best not to trust those system binaries. Read the documentation/webpage and make sure you're using a safe set of binaries to check your system. From the docs, chkproc seems to be /proc intensive. The port's Makefile does not mention chkproc: do-install: ${INSTALL_SCRIPT} ${WRKSRC}/chkrootkit ${PREFIX}/sbin ${INSTALL_PROGRAM} ${WRKSRC}/chklastlog ${PREFIX}/sbin ${INSTALL_PROGRAM} ${WRKSRC}/chkwtmp ${PREFIX}/sbin ${INSTALL_PROGRAM} ${WRKSRC}/ifpromisc ${PREFIX}/sbin .if !defined(NOPORTDOCS) @${MKDIR} ${PREFIX}/share/doc/chkrootkit ${INSTALL_DATA} ${DOCFILES:C,^,${WRKSRC}/,} ${PREFIX}/share/doc/chkrootkit .endif I suspect it isn't built due to it's very nature. You could try using a trusted sockstat binary to verify what's listening on the local system. % sockstat -4l You should be able to account for everything listed. > Also the xl1 interface is not reported in the output and is the dmz > interface that the above machine is on. ifconfig shows: > xl1: flags=8843 mtu 1500 Odd if xl1 is not in promiscuous mode, but is not listed as such by the script. However, I am not that familiar with chkrootkit. Perhaps it placed xl1 in PROMISC while running? That can be verified by checking ifconfig while chkrootkit is running... ifconfig -a ... fxp0: flags=8943 mtu 1500 > Oct 7 03:13:56 aji sendmail[91248]: g97A2rnm091248: SYSERR(root): collect: > I/O error on connection from [203.48.40.139], from= > Oct 7 08:45:13 aji /kernel: file: table is full OK, most of these look IO related... But what's this mean? > Oct 7 09:23:28 aji inetd[93322]: pop3/tcp: root: no such user > Oct 7 09:30:53 aji /kernel: pid 93340 (cron), uid 0: exited on signal 11 > (core dumped) If 'root' really doesn't exist, then who is uid 0? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message