From owner-freebsd-questions  Mon Oct  7 13:28:50 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 25A2437B401
	for <freebsd-questions@FreeBSD.org>; Mon,  7 Oct 2002 13:28:48 -0700 (PDT)
Received: from aji.wilshire.net (worm.wilshire.net [64.161.77.242])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0F1A443E3B
	for <freebsd-questions@FreeBSD.org>; Mon,  7 Oct 2002 13:28:47 -0700 (PDT)
	(envelope-from rileyjmc@pacbell.net)
Received: from emilyd (emilyd.wilshire.net [10.100.123.20])
	by aji.wilshire.net (8.12.3/8.12.3) with SMTP id g97KRinm099862
	for <freebsd-questions@FreeBSD.org>; Mon, 7 Oct 2002 13:27:45 -0700 (PDT)
	(envelope-from rileyjmc@pacbell.net)
From: "Riley" <rileyjmc@pacbell.net>
To: "FreeBSD Questions" <freebsd-questions@FreeBSD.org>
Subject: chkrootkit help
Date: Mon, 7 Oct 2002 13:28:44 -0700
Message-ID: <HEEELMCBPANKADCOBOFPCEPKGPAA.rileyjmc@pacbell.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hi all,

I could sure use some help interpreting this.  I guess I'd like to know if
chkrootkit could give a false positive under a "file table full" condition?
A 4.6.2-RELEASE-p2 system (running bind 8.3.3-REL and sendmail 8.12.3)
started getting syslog messages like:

/kernel: file: table is full

along with related messages, then a core dump.  (syslog for this date is
below.)

I took this as a side effect of a recent spamassassin install/upgrade (2.41)
and increased kern.maxfiles to 8192 and max.vnodes to 16384.  As the system
started to recover for fun I ran chkrootkit which came back with this:

Checking `bindshell'... INFECTED (PORTS:  114)

A few minutes later and ever since chkrootkit returns:

Checking `bindshell'... not infected

netstat -an  doesn't show anything on 114 and nothing unusual.

The system is on a dmz with ports 25, 53 and 110 mapped through.  Running
chkrootkit on the firewall reported this:

Checking `bindshell'... not infected
Checking `lkm'... not tested: can't exec ./chkproc
Checking `rexedcs'... not found
Checking `sniffer'...
xl0 is not promisc
xl2 is not promisc

I'm not sure what to think about "can't exec ./chkproc".  Also the xl1
interface is not reported in the output and is the dmz interface that the
above machine is on.  ifconfig shows:

xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 10.100.100.1 netmask 0xffffff00 broadcast 10.100.100.255
        inet6 fe80::260:8ff:fe31:e4b0%xl1 prefixlen 64 scopeid 0x2
        ether 00:60:08:31:e4:b0
        media: Ethernet autoselect (10baseT/UTP)
        status: active

Any comments would be greatly appreciated.  If this isn't a 'false positive'
I'll rebuild the machine.

Thanks,

Riley


"That which does not kill us makes us stranger."
                                             --Kimchi


Oct  7 03:13:56 aji sendmail[91248]: g97A2rnm091248: SYSERR(root): collect:
I/O  error on connection from [203.48.40.139], from=<News@ineedhits.com>
Oct  7 08:45:13 aji /kernel: file: table is full
Oct  7 08:45:14 aji last message repeated 38 times
Oct  7 08:46:27 aji last message repeated 35 times
Oct  7 09:14:05 aji sendmail[93085]: g97G8Xnm093085: SYSERR(root): collect:
I/O error on connection from adsl-63-rev-addr,
from=<root@someotherserver.dom>
Oct  7 09:22:17 aji /kernel: file: table is full
Oct  7 09:22:20 aji last message repeated 17 times
Oct  7 09:23:21 aji last message repeated 16 times
Oct  7 09:23:23 aji sendmail[93320]: g97GEKpG093112: SYSERR(UID0):
<local@email.addr>... openmailer(local): pipe (to mailer): Too many open
files in system
Oct  7 09:23:25 aji sendmail[93112]: g97GEKpI093112: SYSERR(root): Cannot
open hash database /etc/mail/aliases.db: Too many open files in system
Oct  7 09:23:22 aji inetd[93322]: /etc/spwd.db: Too many open files in
system
Oct  7 09:23:28 aji inetd[93322]: pop3/tcp: root: no such user
Oct  7 09:25:42 aji /kernel: file: table is full
Oct  7 09:25:43 aji last message repeated 4 times
Oct  7 09:29:58 aji /kernel: file: table is full
Oct  7 09:30:44 aji last message repeated 107 times
Oct  7 09:30:53 aji /kernel: pid 93340 (cron), uid 0: exited on signal 11
(core
 dumped)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message