[Cialug] Rootkit?

Josh More morej at alliancetechnologies.net
Thu Jan 31 20:27:28 CST 2008 

Boot Knoppix or RescueCD and run chkrootkit and rkhunter again.  Run
clamAV.

Run Nessus and nmap against your server from a trusted machine.

Boot into different init levels and see if the same behavior occurs.

Check your router/firewall for outbound packets for which you cannot
account.  (You may have to sniff for up to two weeks to actually see
them, if they batch them (ports 80, 25, and 666* are common, but there
are others)).


 

-Josh More, RHCE, CISSP, NCLP, GIAC 
 morej at alliancetechnologies.net 
 515-245-7701



>>> "Nathan C. Smith" <nathan.smith at ipmvs.com> 01/31/08 7:07 PM >>> 
I'm going to assume it is internet-facing.  Are you running Apache on
it?
There were some recent reports....

Do a Google search/check the websites for issues for any
internet-facing
packages you have on it.  I got a rootkit from running Drupal once - to
give
you an idea of what I mean.

Try running some other basic investigation commands and see if they lie
to
you in ways you can tell.  Amount of disk space available or how many
processes are actually running.  Can you watch the wire to see if you
are
sending anything strange outbound?

I know you are reluctant to reboot machines - have you rebooted?  Could
it
be a bad bit of memory or a memory leak?  Experimental Kernel?

-Nate

> -----Original Message-----
> From: Nathan Stien [mailto:nathanism at gmail.com] 
> Sent: Thursday, January 31, 2008 6:55 PM
> To: Central Iowa Linux Users Group
> Subject: [Cialug] Rootkit?
> 
> One of my boxen is acting a bit weird.  When I run htop to 
> see what's running, it shows nearly 100% utilization of each 
> core, but no particular process seems to be responsible.  The 
> utilization mostly shows up in red, which in htop means 
> kernel-space.  I've been running htop for a long time, and it 
> never showed this until recently.
> Regular old-skool top shows nothing out of the ordinary.
> 
> Things in general seem to be running kinda slow, but not *super*
slow.
>  Could this be a rootkit?  Or some other oddness?
> 
> I've run rkhunter and chkrootkit, and they turned up nothing. 
>  Does anyone have an idea what else I might do to investigate this?
> 
> - Nathan
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
> 
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug

More information about the Cialug mailing list