From owner-freebsd-questions  Mon Oct  7 12:21: 7 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C94E037B401
	for <questions@FreeBSD.org>; Mon,  7 Oct 2002 12:21:03 -0700 (PDT)
Received: from studnet.sk (kripel.unitra.sk [193.87.12.67])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D797943E65
	for <questions@FreeBSD.org>; Mon,  7 Oct 2002 12:21:01 -0700 (PDT)
	(envelope-from rado@kripel.studnet.sk)
Received: from kripel.studnet.sk (rado@localhost [IPv6:::1])
	by studnet.sk (8.12.5/angel's version) with ESMTP id g97JKxJ2093789;
	Mon, 7 Oct 2002 21:21:00 +0200 (CEST)
Received: (from rado@localhost)
	by kripel.studnet.sk (8.12.5/8.12.3/Submit) id g97JKxwK093727;
	Mon, 7 Oct 2002 21:20:59 +0200 (CEST)
Date: Mon, 7 Oct 2002 21:20:59 +0200
From: Radko Keves <rado@studnet.sk>
To: Riley <rileyjmc@pacbell.net>
Cc: questions@FreeBSD.org
Subject: Re: chkrootkit help
Message-ID: <20021007192059.GA62214@studnet.sk>
References: <HEEELMCBPANKADCOBOFPKEPCGPAA.rileyjmc@pacbell.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <HEEELMCBPANKADCOBOFPKEPCGPAA.rileyjmc@pacbell.net>
User-Agent: Mutt/1.4i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

;), Mon, Oct 07, 2002 at 11:47:15AM -0700, Riley said that
> Hi all,
hi
> 
> (Let me know if this belongs in -questions)
> 
> I could sure use some help interpreting this.  A 4.6.2-RELEASE-p2 system
> (running bind 8.3.3-REL and sendmail 8.12.3) started getting syslog messages
> like:
try run latest sendmail with patch :) .... and upgrade your box
> 
> /kernel: file: table is full
>
i know it :) 
> along with related messages, then a core dump.  (syslog for this date is
> below.)
> 
> I took this as a side effect of a recent spamassassin install/upgrade (2.41)
> and increased kern.maxfiles to 8192 and max.vnodes to 16384.  As the system
my kern.maxfiles is set to: 65536 and max.vnodes to 8662
and try to set up /etc/login.conf see:  man login.conf and all section of files  :) for users 
> started to recover for fun I ran chkrootkit which came back with this:
try compile lsof is better for ports
> 
> Checking `bindshell'... INFECTED (PORTS:  114)
uf audionews port
> 
> A few minutes later and ever since chkrootkit returns:
> 
> Checking `bindshell'... not infected
> 
> netstat -an  doesn't show anything on 114 and nothing unusual.
try:
telnet localhost 114 
but it can't help you 

cvsup

#cd /usr/src/usr.sbin/named
#make && make install && make clean

and restart named
> 
> The system is on a dmz with ports 25, 53 and 110 mapped through.  Running
> chkrootkit on the firewall reported this:
> 
> Checking `bindshell'... not infected
> Checking `lkm'... not tested: can't exec ./chkproc
try to recompile linux ksec that's good for adreses of system calls
or run:
#nm kernel | grep -v '\(compiled\)\|\(\.o$$\)\|\( [aUw] \)\|\(\.\.ng$$\)\|\(LASH[RL]DI\)' | sort 

to see you syscalls adreses :)
> Checking `rexedcs'... not found
> Checking `sniffer'...
> xl0 is not promisc
> xl2 is not promisc
> 
> I'm not sure what to think about "can't exec ./chkproc".  Also the xl1
> interface is not reported in the output and is the dmz interface that the
> above machine is on.  ifconfig shows:
> 
> xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 10.100.100.1 netmask 0xffffff00 broadcast 10.100.100.255
>         inet6 fe80::260:8ff:fe31:e4b0%xl1 prefixlen 64 scopeid 0x2
>         ether 00:60:08:31:e4:b0
>         media: Ethernet autoselect (10baseT/UTP)
>         status: active
> 
> Any comments would be greatly appreciated.
> 
> Thanks,
> 
> Riley
> 
> 
> "That which does not kill us makes us stranger."
>                                              --Kimchi
> 
> 
> Oct  7 03:13:56 aji sendmail[91248]: g97A2rnm091248: SYSERR(root): collect:
> I/O  error on connection from [203.48.40.139], from=<News@ineedhits.com>
> Oct  7 08:45:13 aji /kernel: file: table is full
> Oct  7 08:45:14 aji last message repeated 38 times
> Oct  7 08:46:27 aji last message repeated 35 times
> Oct  7 09:14:05 aji sendmail[93085]: g97G8Xnm093085: SYSERR(root): collect:
> I/O error on connection from adsl-63-rev-addr,
> from=<root@someotherserver.dom>
> Oct  7 09:22:17 aji /kernel: file: table is full
> Oct  7 09:22:20 aji last message repeated 17 times
> Oct  7 09:23:21 aji last message repeated 16 times
> Oct  7 09:23:23 aji sendmail[93320]: g97GEKpG093112: SYSERR(UID0):
> <local@email.addr>... openmailer(local): pipe (to mailer): Too many open
> files in system
someone play with you :)
> Oct  7 09:23:25 aji sendmail[93112]: g97GEKpI093112: SYSERR(root): Cannot
> open hash database /etc/mail/aliases.db: Too many open files in system
> Oct  7 09:23:22 aji inetd[93322]: /etc/spwd.db: Too many open files in
> system
> Oct  7 09:23:28 aji inetd[93322]: pop3/tcp: root: no such user
> Oct  7 09:25:42 aji /kernel: file: table is full
> Oct  7 09:25:43 aji last message repeated 4 times
> Oct  7 09:29:58 aji /kernel: file: table is full
> Oct  7 09:30:44 aji last message repeated 107 times
> Oct  7 09:30:53 aji /kernel: pid 93340 (cron), uid 0: exited on signal 11
> (core
>  dumped)
ajajaja 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
bye
-- 
20:57  up 2 days,  3:31, 4 users, load averages: 0,00 0,00 0,00
--
FreeBSD 5.0-CURRENT #16: root@kripel:/usr/src/sys/i386/compile/angel
--
powered by rado
--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message