[Cialug] Rootkit?
Nathan C. Smith
nathan.smith at ipmvs.com
Thu Jan 31 19:07:02 CST 2008
I'm going to assume it is internet-facing. Are you running Apache on it?
There were some recent reports....
Do a Google search/check the websites for issues for any internet-facing
packages you have on it. I got a rootkit from running Drupal once - to give
you an idea of what I mean.
Try running some other basic investigation commands and see if they lie to
you in ways you can tell. Amount of disk space available or how many
processes are actually running. Can you watch the wire to see if you are
sending anything strange outbound?
I know you are reluctant to reboot machines - have you rebooted? Could it
be a bad bit of memory or a memory leak? Experimental Kernel?
-Nate
> -----Original Message-----
> From: Nathan Stien [mailto:nathanism at gmail.com]
> Sent: Thursday, January 31, 2008 6:55 PM
> To: Central Iowa Linux Users Group
> Subject: [Cialug] Rootkit?
>
> One of my boxen is acting a bit weird. When I run htop to
> see what's running, it shows nearly 100% utilization of each
> core, but no particular process seems to be responsible. The
> utilization mostly shows up in red, which in htop means
> kernel-space. I've been running htop for a long time, and it
> never showed this until recently.
> Regular old-skool top shows nothing out of the ordinary.
>
> Things in general seem to be running kinda slow, but not *super* slow.
> Could this be a rootkit? Or some other oddness?
>
> I've run rkhunter and chkrootkit, and they turned up nothing.
> Does anyone have an idea what else I might do to investigate this?
>
> - Nathan
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
More information about the Cialug
mailing list