Re: 2.4.18 fork & defunct child => system is hacked

From: Keith Whyte
Date: Wed Nov 19 2003 - 14:48:05 EST


Frank van Maarseveen wrote:

On Mon, Nov 17, 2003 at 06:26:00PM -0600, Keith Whyte wrote:


{ strace listing deleted, see http://marc.theaimsgroup.com/?l=linux-kernel&m=106905386725308&w=2 }



First of all, /bin/true doing a fork() basically means you've
been hacked: there should not be any such code in there. The
open("/proc/17904///////////exe" is anouther piece of clear evidence
that your system has been hacked.

Why the additional slashes?


Is it at all possible that this behaviour is due to strace?
I have just installed under a fresh directory, from the slackware packages, the glibc-so libs, a few progs, strace, and chroot'ed into that system.
I still get the same behaviour. So does that mean it _has_ to be the kernel that is at fault?

a cmp on the distro kernel and the one on my system does show this..:

cmp -b -l /boot/vmlinuz /home/r2/boot/vmlinuz
499 1 ^A 0 ^@

but that is the rootflags, no? I must have set it ro before.


I am going to compile a kernel on a clean machine and boot the machine with that as soon as i can get somebody down there to monitor it in case it doesn't come back up with the new kernel.

I suspect a library/or LD_PRELOAD hack which simply encodes the getpid()
return value in decimal notation and stores it right into a static
buffer containing

"/proc//////////////////exe"

because it can't use sprintf at that point for some reason (maybe
just because it is a library/LD_PRELOAD hack).




I think I vaguely know what your saying here, but why? why would it have happened as soon as the machine was first brought up.. (after the initial install), then agian after a reinstall, and then go away. why then would it happen again some months later? and how would they have hacked it? it only runs ssh and apache. no sendmail, no bind, none of those usual culprits. apache is not running as root. the only other listener is identd.
it also runs nfsd, but connections are firewalled, from anything other than a 192.168.0.1 address configured on the second NIC. ah, but then i did accidentally open the firewall recently for a few days.

hmmm.


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/