[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] rootkit?



hi list,
just curious, if this would ring a bell with someone. Recently I noticed 
several strange things on one of my boxes (SuSE 8.2 with stock kernel for 
athlon). Among evidence, that something fishy is going on, I found a rather 
strange process in  psauwx:

USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0   500   72 ?        S     2003   0:03 init [3]     
root         2  0.0  0.0     0    0 ?        SW    2003   0:00 [keventd]
root         3  0.0  0.0     0    0 ?        SWN   2003   0:00 
[ksoftirqd_CPU0]
root         4  0.0  0.0     0    0 ?        SW    2003   0:23 [kswapd]
root         5  0.0  0.0     0    0 ?        SW    2003   0:00 [bdflush]
root         6  0.0  0.0     0    0 ?        SW    2003   0:00 [kupdated]
root         7  0.0  0.0     0    0 ?        SW    2003   0:06 [kinoded]
root         9  0.0  0.0     0    0 ?        SW    2003   0:00 [mdrecoveryd]
root        12  0.0  0.0     0    0 ?        SW    2003   0:00 [scsi_eh_0]
root        15  0.0  0.0     0    0 ?        SW    2003   0:57 [kjournald]
at         219  0.0  0.0  1492  104 ?        S     2003   0:00 [atd]
root       425  0.0  0.0     0    0 ?        SW    2003   0:00 [eth0]

I have never seen something like [eth0] anywhere else (btw: what's the actual 
meaning of square brackets? Demons show them to, but these are kernel tasks).
Looking at /proc/425 doesn't give any clues, except that it has one file 
descripter open pointing to /dev/initctl and a PPID of 1.

I also found port 6667 to be open, or better "filtered" (nmap). The firewall 
(self made) doesn't touch it, and I can't associate a process with it (it 
doesn't accept connections either if simply telnetted to).

So the question: Has anyone seen such a thing? I checked with the 
"checkrootkit" suit, but nothing was found.
-- 
Patrick Ahlbrecht
Systemadministration billiton internetservices
direct phone: 0271 30386 19


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here