Date: Mon, 7 Oct 2002 13:28:44 -0700 From: "Riley" <rileyjmc@pacbell.net> To: "FreeBSD Questions" <freebsd-questions@FreeBSD.org> Subject: chkrootkit help Message-ID: <HEEELMCBPANKADCOBOFPCEPKGPAA.rileyjmc@pacbell.net>
next in thread | raw e-mail | index | archive | help
Hi all,
I could sure use some help interpreting this. I guess I'd like to know if
chkrootkit could give a false positive under a "file table full" condition?
A 4.6.2-RELEASE-p2 system (running bind 8.3.3-REL and sendmail 8.12.3)
started getting syslog messages like:
/kernel: file: table is full
along with related messages, then a core dump. (syslog for this date is
below.)
I took this as a side effect of a recent spamassassin install/upgrade (2.41)
and increased kern.maxfiles to 8192 and max.vnodes to 16384. As the system
started to recover for fun I ran chkrootkit which came back with this:
Checking `bindshell'... INFECTED (PORTS: 114)
A few minutes later and ever since chkrootkit returns:
Checking `bindshell'... not infected
netstat -an doesn't show anything on 114 and nothing unusual.
The system is on a dmz with ports 25, 53 and 110 mapped through. Running
chkrootkit on the firewall reported this:
Checking `bindshell'... not infected
Checking `lkm'... not tested: can't exec ./chkproc
Checking `rexedcs'... not found
Checking `sniffer'...
xl0 is not promisc
xl2 is not promisc
I'm not sure what to think about "can't exec ./chkproc". Also the xl1
interface is not reported in the output and is the dmz interface that the
above machine is on. ifconfig shows:
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.100.100.1 netmask 0xffffff00 broadcast 10.100.100.255
inet6 fe80::260:8ff:fe31:e4b0%xl1 prefixlen 64 scopeid 0x2
ether 00:60:08:31:e4:b0
media: Ethernet autoselect (10baseT/UTP)
status: active
Any comments would be greatly appreciated. If this isn't a 'false positive'
I'll rebuild the machine.
Thanks,
Riley
"That which does not kill us makes us stranger."
--Kimchi
Oct 7 03:13:56 aji sendmail[91248]: g97A2rnm091248: SYSERR(root): collect:
I/O error on connection from [203.48.40.139], from=<News@ineedhits.com>
Oct 7 08:45:13 aji /kernel: file: table is full
Oct 7 08:45:14 aji last message repeated 38 times
Oct 7 08:46:27 aji last message repeated 35 times
Oct 7 09:14:05 aji sendmail[93085]: g97G8Xnm093085: SYSERR(root): collect:
I/O error on connection from adsl-63-rev-addr,
from=<root@someotherserver.dom>
Oct 7 09:22:17 aji /kernel: file: table is full
Oct 7 09:22:20 aji last message repeated 17 times
Oct 7 09:23:21 aji last message repeated 16 times
Oct 7 09:23:23 aji sendmail[93320]: g97GEKpG093112: SYSERR(UID0):
<local@email.addr>... openmailer(local): pipe (to mailer): Too many open
files in system
Oct 7 09:23:25 aji sendmail[93112]: g97GEKpI093112: SYSERR(root): Cannot
open hash database /etc/mail/aliases.db: Too many open files in system
Oct 7 09:23:22 aji inetd[93322]: /etc/spwd.db: Too many open files in
system
Oct 7 09:23:28 aji inetd[93322]: pop3/tcp: root: no such user
Oct 7 09:25:42 aji /kernel: file: table is full
Oct 7 09:25:43 aji last message repeated 4 times
Oct 7 09:29:58 aji /kernel: file: table is full
Oct 7 09:30:44 aji last message repeated 107 times
Oct 7 09:30:53 aji /kernel: pid 93340 (cron), uid 0: exited on signal 11
(core
dumped)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?HEEELMCBPANKADCOBOFPCEPKGPAA.rileyjmc>