Mailing List Archive

On Wed, 29 Jun 2005, Andrew Ruef wrote:
> Took the system down to init 1 and checked it out for any signs of foul
> play, found none. No anomalous behavior in the logs, nothing weird that
> grsec reported. Nothing in the NIDS logs of the attached system..

Did you do an MD5 comparison between the 'ps' command on your box and a
known good binary? That sounds like a trojaned ps binary or something
amiss in the kernel.

> But still... anyone else seen this behavior?

--
gentoo-sparc@gentoo.org mailing list

No... due to piss poor administration and that it's a Gentoo box those md5's
don't exist. Although the strange thing is, after sshd has been restarted
everything works fine...

I think I'm reaching for straws but it was as if sshd wasn't forking a bash
shell properly. Users could enter into their shells entry in /proc, it just
wasn't being displayed in 'w' or 'ps'....

This just sounds bad the more I think about it.

I'm going to try and reproduce the bug, if it can be...

--Andrew Ruef

-----Original Message-----
From: Gary [mailto:gary@linuxforce.org]
Sent: Wednesday, June 29, 2005 4:50 PM
To: gentoo-sparc@lists.gentoo.org
Subject: Re: [gentoo-sparc] Interesting incident involving Gentoo hardened
linux

On Wed, 29 Jun 2005, Andrew Ruef wrote:
> Took the system down to init 1 and checked it out for any signs of foul
> play, found none. No anomalous behavior in the logs, nothing weird that
> grsec reported. Nothing in the NIDS logs of the attached system..

Did you do an MD5 comparison between the 'ps' command on your box and a
known good binary? That sounds like a trojaned ps binary or something
amiss in the kernel.

> But still... anyone else seen this behavior?

--
gentoo-sparc@gentoo.org mailing list


--
gentoo-sparc@gentoo.org mailing list

Interestingly enough, there are entries in my syslog along the following:

sshd[253]: syslogin_perform_logout: logout() returned an error

There appear to be one of these for every logout action taken by a user...

This is strange. Could this maybe produce starvation of a resource
indicating when / which users are logged in if it creates a host of undead
not-quite-logged-in users?

(really sounds like I'm grasping for straws. Sigh)

--Andrew Ruef

-----Original Message-----
From: Andrew Ruef [mailto:munin@speakeasy.net]
Sent: Wednesday, June 29, 2005 5:20 PM
To: gentoo-sparc@lists.gentoo.org
Subject: RE: [gentoo-sparc] Interesting incident involving Gentoo hardened
linux

No... due to piss poor administration and that it's a Gentoo box those md5's
don't exist. Although the strange thing is, after sshd has been restarted
everything works fine...

I think I'm reaching for straws but it was as if sshd wasn't forking a bash
shell properly. Users could enter into their shells entry in /proc, it just
wasn't being displayed in 'w' or 'ps'....

This just sounds bad the more I think about it.

I'm going to try and reproduce the bug, if it can be...

--Andrew Ruef

-----Original Message-----
From: Gary [mailto:gary@linuxforce.org]
Sent: Wednesday, June 29, 2005 4:50 PM
To: gentoo-sparc@lists.gentoo.org
Subject: Re: [gentoo-sparc] Interesting incident involving Gentoo hardened
linux

On Wed, 29 Jun 2005, Andrew Ruef wrote:
> Took the system down to init 1 and checked it out for any signs of foul
> play, found none. No anomalous behavior in the logs, nothing weird that
> grsec reported. Nothing in the NIDS logs of the attached system..

Did you do an MD5 comparison between the 'ps' command on your box and a
known good binary? That sounds like a trojaned ps binary or something
amiss in the kernel.

> But still... anyone else seen this behavior?

--
gentoo-sparc@gentoo.org mailing list


--
gentoo-sparc@gentoo.org mailing list


--
gentoo-sparc@gentoo.org mailing list