Possible root kit. any ideas?

General support questions including new installations
Post Reply
dsieme01
Posts: 15
Joined: 2011/02/15 17:31:58

Possible root kit. any ideas?

Post by dsieme01 » 2011/10/24 16:38:56

I have a server that was reported to have rebooting every 2 hours. The /var/log/messages doesn't show anything of significance, just he usual dhcp client messages and stuff,

I did a root@localhost:/ari/backups> rpm -Va
prelink: /usr/bin/pstree: at least one of file's dependencies has changed since prelinking
S.?..... /usr/bin/pstree
prelink: /usr/bin/pstree.x11: at least one of file's dependencies has changed since prelinking
S.?..... /usr/bin/pstree.x11
prelink: /usr/bin/slabtop: at least one of file's dependencies has changed since prelinking
S.?..... /usr/bin/slabtop
prelink: /usr/bin/top: at least one of file's dependencies has changed since prelinking
S.?..... /usr/bin/top
prelink: /usr/bin/watch: at least one of file's dependencies has changed since prelinking
S.?..... /usr/bin/watch
S.5....T c /etc/selinux/targeted/booleans
S.5....T c /etc/pam_smb.conf
prelink: /usr/bin/nano: at least one of file's dependencies has changed since prelinking
S.?..... /usr/bin/nano
prelink: /usr/bin/pinfo: at least one of file's dependencies has changed since prelinking
S.?..... /usr/bin/pinfo
prelink: /usr/sbin/iptstate: at least one of file's dependencies has changed since prelinking
S.?..... /usr/sbin/iptstate
S.?..... /usr/bin/kfind
S.?..... /usr/lib/kconf_update_bin/khotkeys_update


Wasn't their some root kit that modifies the ps command a while back?


I know that the S means the size changed which is a potential. Right now I'm focused on have the client verify hardware as its a potential that a 3 year old server could have some weird issue with power supplies, bad caps. The box is located in saudi and I can't drive over to have a look in person, The internet is a crap connection.

The fact that the /usr/bin/top is changed is very suspect.

foxb
Posts: 1927
Joined: 2006/04/20 19:03:33
Location: Montreal/QC

Possible root kit. any ideas?

Post by foxb » 2011/10/24 17:01:05

Reading of interest:
http://wiki.centos.org/HowTos/Security?highlight=%28security%29

you can also try running
http://www.chkrootkit.org/
and
http://www.rootkit.nl/projects/rootkit_hunter.html

But it is totally possible that simply your FS is corrupted.

Post Reply

Return to “CentOS 4 - General Support”