Hi All,
I have just noticed an odd process running on one of my servers, so
thought I'd give rkhunter a quick whirl. The process running is:
root 1372 0.0 0.2 3444 1728 ? S 17:32 0:00 ?\?
\??????????g???
with an 'lsof -p 1373' showing:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 1373 root cwd DIR 8,1 4096 7356417 /home
bash 1373 root rtd DIR 8,1 4096 2 /
bash 1373 root txt REG 8,1 625228 10240062 /bin/bash
bash 1373 root mem REG 0,0 0 [heap] (stat:
No such file or directory)
bash 1373 root mem REG 8,1 34748 2359350 /lib/tls/
libnss_files-2.3.2.so
bash 1373 root mem REG 8,1 33440 2359352 /lib/tls/
libnss_nis-2.3.2.so
bash 1373 root mem REG 8,1 73304 2359347 /lib/tls/
libnsl-2.3.2.so
bash 1373 root mem REG 8,1 28616 2359348 /lib/tls/
libnss_compat-2.3.2.so
bash 1373 root mem REG 8,1 290448 3572630 /usr/lib/locale/
locale-archive
bash 1373 root mem REG 8,1 1254468 2359342 /lib/tls/
libc-2.3.2.so
bash 1373 root mem REG 8,1 9872 2359344 /lib/tls/
libdl-2.3.2.so
bash 1373 root mem REG 8,1 252592 2359399 /lib/
libncurses.so.5.4
bash 1373 root mem REG 8,1 5920 3540286 /usr/lib/gconv/
ISO8859-1.so
bash 1373 root mem REG 8,1 90248 2359313 /lib/ld-2.3.2.so
bash 1373 root 0u CHR 136,0 2 /dev/pts/0
bash 1373 root 1u CHR 136,0 2 /dev/pts/0
bash 1373 root 2u CHR 136,0 2 /dev/pts/0
bash 1373 root 255u CHR 136,0 2 /dev/pts/0
Running rkhunter (version 1.2.8), I see the following during the scan:
Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps/usr/local/bin/rkhunter: line 3463: file:
command not found
[ Clean ]
Checking /bin/ls/usr/local/bin/rkhunter: line 3463: file:
command not found
[ Clean ]
Checking /usr/bin/w/usr/local/bin/rkhunter: line 3463: file:
command not found
[ Clean ]
Checking /usr/bin/who/usr/local/bin/rkhunter: line 3463: file:
command not found
[ Clean ]
Checking /bin/netstat/usr/local/bin/rkhunter: line 3463: file:
command not found
[ Clean ]
Checking /bin/login/usr/local/bin/rkhunter: line 3463: file:
command not found
[ Clean ]
..
* Filesystem checks
Checking /dev for suspicious files... /usr/local/bin/rkhunter:
line 1: file: command not found
[ OK ]
Scanning for hidden files... [ OK ]
--
With the results showing:
---------------------------- Scan results ----------------------------
MD5
MD5 compared: 0
Incorrect MD5 checksums: 0
File scan
Scanned files: 342
Possible infected files: 0
Application scan
Vulnerable applications: 1
Scanning took 87 seconds
Vunerable application is: - OpenSSL 0.9.7e, which I'll make a point
of updating after this.
I'm therefore just after a bit of advice, does this funny process
name point to a possible rootkit - it seems to be linked to a login
process, however I'm not that "great" with linux security, it was
just brought to my attention, so I thought that I would check with
the list. The comamnd not found part had me a bit confused, as I've
not seen it before when scanning some other servers.
Any comments/help appreciated,
Cheers,
Chris
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
