Warning: Possible LKM Trojan installed

[scup]

Hallo zusammen,

habe chkrootkit mal nach langer Zeit durchlaufen lassen, und bekam die im Betreff genannte Fehlermeldung

Ich fahre derzeit FreeBSD 5.2.1

Wie kann ich chkrootkit nun dazu bewegen, diesen Trojaner zu eleminieren ?

Hat diesen Trojaner schon jemand von Euch im Systhem gehabt ?

 

[j_t]

Ich halte das für äußerst unwahrscheinlich.
Paste doch bitte mal den Output folgender Befehle:

kldstat
ps axu
netstat -an |grep LIST
cd /; find . |grep "\.\."
cd /usr/ports/sysutils/lsof; make install clean; lsof -i
last

Dann mach einen nmap von aussen auf den Rechner:
nmap -p1-60000 <IP>

und untersuche /var/log/messages (und all.log(?)) auf Auffälligkeiten.

Diese Vorgehensweise war bisher bei Rothüten :-) extrem hilfreich. Die Dinger haben es aber auch nötig!

 

[lars]

google:
http://archives.neohapsis.com/archives/freebsd/2003-08/0199.html

 

[scup]

Hallo nochmal,

kldstat=

Id Refs Address Size Name
1 3 0xc0400000 5e1738 kernel
2 1 0xc09e2000 51a18 acpi.ko


ps axu=

USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 11 98.7 0.0 0 12 ?? RL Thu10AM 1545:22.92 (idle: cpu0)
root 10 0.0 0.0 0 12 ?? DL Thu10AM 0:00.00 (ktrace)
root 1 0.0 0.0 760 288 ?? ILs Thu10AM 0:00.12 /sbin/init --
root 13 0.0 0.0 0 12 ?? WL Thu10AM 0:00.03 (irq1: atkbd0)
root 17 0.0 0.0 0 12 ?? WL Thu10AM 0:00.00 (irq6: fdc0)
root 18 0.0 0.0 0 12 ?? WL Thu10AM 0:00.00 (irq7: ppc0)
root 22 0.0 0.0 0 12 ?? WL Thu10AM 0:24.44 (irq11: rl0)
root 23 0.0 0.0 0 12 ?? WL Thu10AM 0:00.09 (irq12: psm0)
root 25 0.0 0.0 0 12 ?? WL Thu10AM 0:04.11 (irq14: ata0)
root 26 0.0 0.0 0 12 ?? WL Thu10AM 0:00.00 (irq15: ata1)
root 27 0.0 0.0 0 12 ?? RL Thu10AM 4:20.80 (swi8: tty:sio
root 29 0.0 0.0 0 12 ?? WL Thu10AM 0:24.49 (swi1: net)
root 2 0.0 0.0 0 12 ?? DL Thu10AM 0:14.89 (g_event)
root 3 0.0 0.0 0 12 ?? DL Thu10AM 0:26.92 (g_up)
root 4 0.0 0.0 0 12 ?? DL Thu10AM 0:21.68 (g_down)
root 30 0.0 0.0 0 12 ?? DL Thu10AM 0:20.67 (random)
root 31 0.0 0.0 0 12 ?? WL Thu10AM 0:00.00 (swi7: task qu
root 5 0.0 0.0 0 12 ?? DL Thu10AM 0:00.00 (taskqueue)
root 34 0.0 0.0 0 12 ?? WL Thu10AM 0:00.00 (swi7: acpitas
root 6 0.0 0.0 0 12 ?? IL Thu10AM 0:00.00 (acpi_task0)
root 7 0.0 0.0 0 12 ?? IL Thu10AM 0:00.00 (acpi_task1)
root 8 0.0 0.0 0 12 ?? IL Thu10AM 0:00.00 (acpi_task2)
root 37 0.0 0.0 0 12 ?? DL Thu10AM 0:00.02 (usb0)
root 38 0.0 0.0 0 12 ?? DL Thu10AM 0:00.00 (usbtask)
root 9 0.0 0.0 0 12 ?? DL Thu10AM 0:00.40 (pagedaemon)
root 40 0.0 0.0 0 12 ?? DL Thu10AM 0:00.00 (vmdaemon)
root 41 0.0 0.0 0 12 ?? DL Thu10AM 0:57.74 (pagezero)
root 42 0.0 0.0 0 12 ?? DL Thu10AM 0:01.98 (bufdaemon)
root 43 0.0 0.0 0 12 ?? DL Thu10AM 0:01.47 (vnlru)
root 44 0.0 0.0 0 12 ?? DL Thu10AM 3:22.80 (syncer)
root 45 0.0 0.0 0 12 ?? IL Thu10AM 0:00.00 (nfsiod 0)
root 46 0.0 0.0 0 12 ?? IL Thu10AM 0:00.00 (nfsiod 1)
root 47 0.0 0.0 0 12 ?? IL Thu10AM 0:00.00 (nfsiod 2)
root 48 0.0 0.0 0 12 ?? IL Thu10AM 0:00.00 (nfsiod 3)
root 162 0.0 0.1 1180 572 ?? Is Thu10AM 0:00.00 adjkerntz -i
root 216 0.0 0.2 1812 1028 ?? Ss Thu10AM 0:04.50 /sbin/dhclient
root 275 0.0 0.1 1308 792 ?? Ss Thu10AM 0:00.69 /usr/sbin/syslo
root 375 0.0 0.1 1236 680 ?? Ss Thu10AM 0:00.36 /usr/sbin/usbd
root 391 0.0 0.8 7044 5184 ?? Ss Thu10AM 0:04.35 /usr/bin/perl /
root 393 0.0 0.8 6692 4968 ?? Ss Thu10AM 0:04.13 /usr/bin/perl /
root 427 0.0 0.3 3492 1812 ?? Is Thu10AM 0:04.91 /usr/sbin/sshd
root 432 0.0 0.3 3516 2088 ?? Ss Thu10AM 0:07.12 sendmail: accep
smmsp 435 0.0 0.3 3412 1960 ?? Is Thu10AM 0:00.18 sendmail: Queue
root 449 0.0 0.1 1352 948 ?? Is Thu10AM 0:01.20 /usr/sbin/cron
root 468 0.0 0.9 11612 5580 ?? Ss Thu10AM 0:10.32 /usr/local/sbin
root 472 0.0 0.1 924 348 con- I+ Thu10AM 0:00.03 /bin/sh /usr/lo
root 510 0.0 0.1 1228 636 ?? Is Thu10AM 0:00.19 /usr/sbin/mouse
mysql 513 0.0 3.4 46932 22196 con- S+ Thu10AM 24:35.69 /usr/local/libe
root 539 0.0 0.2 1660 1272 v0 Is Thu10AM 0:00.11 login [pam] (lo
root 541 0.0 0.1 1276 816 v2 Is+ Thu10AM 0:00.01 /usr/libexec/ge
root 542 0.0 0.1 1276 816 v3 Is+ Thu10AM 0:00.01 /usr/libexec/ge
root 543 0.0 0.1 1276 816 v4 Is+ Thu10AM 0:00.01 /usr/libexec/ge
root 544 0.0 0.1 1276 816 v5 Is+ Thu10AM 0:00.01 /usr/libexec/ge
root 545 0.0 0.1 1276 816 v6 Is+ Thu10AM 0:00.01 /usr/libexec/ge
root 546 0.0 0.1 1276 816 v7 Is+ Thu10AM 0:00.01 /usr/libexec/ge
specimen 600 0.0 0.4 3196 2640 ?? S Thu10AM 0:40.83 ./eggdrop eggdr
nobody 621 0.0 0.2 1932 1276 ?? Is Thu10AM 0:02.49 proftpd: (accep
root 682 0.0 0.2 2316 1600 v0 I+ Thu10AM 0:00.08 -csh (csh)
www 44139 0.0 1.8 17920 11372 ?? S 10:14AM 1:06.00 /usr/local/sbin
www 44169 0.0 2.2 20044 14296 ?? S 10:17AM 0:20.31 /usr/local/sbin
www 44436 0.0 1.3 14216 8632 ?? S 12:01PM 0:20.66 /usr/local/sbin
www 44695 0.0 1.5 15892 9900 ?? S 2:41PM 0:07.65 /usr/local/sbin
root 44934 0.0 0.1 1276 908 v1 Is+ 2:53PM 0:00.01 /usr/libexec/ge
www 46398 0.0 1.4 14424 8788 ?? S 6:44PM 0:12.44 /usr/local/sbin
www 46403 0.0 1.6 15612 10108 ?? S 6:44PM 0:57.45 /usr/local/sbin
www 46423 0.0 0.9 11660 5668 ?? S 6:53PM 0:00.19 /usr/local/sbin
www 46475 0.0 1.3 14208 8444 ?? S 7:04PM 0:01.00 /usr/local/sbin
www 46508 0.0 0.9 11668 5672 ?? S 7:20PM 0:00.14 /usr/local/sbin
www 46510 0.0 0.9 11660 5668 ?? S 7:20PM 0:00.15 /usr/local/sbin
root 46688 0.0 0.4 6244 2316 ?? Ss 9:48PM 0:00.12 sshd: root@ttyp
root 46690 0.0 0.3 2316 1732 p0 Ss 9:48PM 0:00.08 -csh (csh)
root 0 0.0 0.0 0 4 ?? DLs Thu10AM 0:00.33 (swapper)
root 46697 0.0 0.1 1396 880 p0 R+ 9:49PM 0:00.00 ps axu

netstat -an |grep LIST=

tcp4 0 0 *.21 *.* LISTEN
tcp4 0 0 *.3333 *.* LISTEN
tcp4 0 0 *.3306 *.* LISTEN
tcp46 0 0 *.80 *.* LISTEN
tcp4 0 0 *.587 *.* LISTEN
tcp4 0 0 *.25 *.* LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp6 0 0 *.22 *.* LISTEN
tcp4 0 0 *.20000 *.* LISTEN
tcp4 0 0 *.10000 *.* LISTEN

cd /; find . |grep "\.\." =

./usr/local/lib/webmin/dnsadmin/help/intro..zh_TW.Big5.html
./usr/local/lib/webmin-1.090/dnsadmin/help/intro..zh_TW.Big5.html
./usr/local/lib/webmin-1.110/dnsadmin/help/intro..zh_TW.Big5.html
./usr/ports/devel/nspr/files/patch-..::config::FreeBSD.mk
./usr/ports/devel/nspr/files/patch-..::config::autoconf.mk.in
./usr/ports/devel/nspr/files/patch-..::configure
./usr/ports/devel/nspr/files/patch-..:r::include::md::_freebsd.cfg
./usr/ports/devel/nspr/files/patch-..:r::include::md::_freebsd.h
./usr/ports/devel/nspr/files/patch-..:r::src:threads:tio.c
./usr/ports/devel/nspr/files/patch-..:r::src::io:rprf.c
./usr/ports/devel/mpatrol/files/patch-..::..::src::symbol.c
./usr/ports/devel/mpatrol/files/patch-..::..::tools::dbmalloc.c
./usr/ports/editors/AbiWord2/files/patch-..::wv::magick::Makefile.in
./usr/ports/graphics/gimp1/files/patch-..::mpeg_lib-1.3.1::Makefile.in
./usr/ports/graphics/gimp1/files/patch-..::mpeg_lib-1.3.1::video.c
./usr/ports/lang/rscheme/files/patch-..::Makefile
./usr/ports/lang/rscheme/files/patch-..::handc::rshell::Makefile
./usr/ports/lang/rscheme/files/patch-..::handc::rshell::shell.c
./usr/ports/lang/rscheme/files/patch-..::modules::corelib::corelib.mcf
./usr/ports/lang/rscheme/files/patch-..::stage0::configure
./usr/ports/lang/rscheme/files/patch-..::stage0::corelib::string.c
./usr/ports/mail/evolution/files/patch-..::db-3.1.17::dist::Makefile.in
./usr/ports/mail/evolution/files/patch-..::db-3.1.17::dist::ltmain.sh
./usr/ports/mail/exim-old/files/patch-..::exim-texinfo-3.30::doc::spec.texinfo
./usr/ports/security/nss/files/patch-..::coreconf::FreeBSD.mk
./usr/ports/security/nss/files/patch-..::coreconf::command.mk
./usr/ports/security/nss/files/patch-..::coreconf::rules.mk
./usr/compat/linux/usr/share/man/man1/..1.gz
./usr/www/specimen.shacknet.nu/htdocs/wb/4images/data/media/200/Je_spter_der_Abend_desto........jpg
./usr/www/specimen.shacknet.nu/htdocs/wb/4images/data/media/203/zu_zweit....jpg
./usr/www/specimen.shacknet.nu/htdocs/wb/4images/data/thumbnails/200/Je_spter_der_Abend_desto........jpg
./usr/www/specimen.shacknet.nu/htdocs/wb/4images/data/thumbnails/203/zu_zweit....jpg

cd /usr/ports/sysutils/lsof; make install clean; lsof -i =

cd /usr/ports/sysutils/lsof; make install clean; lsof -i
===> Vulnerability check disabled
>> lsof_4.70.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/.
>> Attempting to fetch from ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/.
Receiving lsof_4.70.tar.bz2 (693981 bytes): 100%
693981 bytes transferred in 8.6 seconds (78.75 kBps)
===> Extracting for lsof-4.70
>> Checksum OK for lsof_4.70.tar.bz2.

This configuration step (the Inventory script) takes inventory of
the lsof distribution. The script runs for a minute or two while
it checks that all the subdirectories, information files, scripts,
header files and source files that should be present really are.

It's not absolutely necessary that you take inventory, but it's a
good idea to do it right after the lsof distribution has been
unpacked. Once the inventory has been taken, this script creates
the file ./.ck00MAN as a signal that the inventory step has been
done.

You can call the Inventory script directly at any time to take
inventory. You can inhibit the inventory step permanently by
creating the file ./.neverInv, and you can tell the Configure script
to skip the inventory and customization steps with the -n option.

Do you want to take inventory (y|n) [y]?
Conducting an inventory of the lsof distribution; this will take a while.

Examining /usr/ports/sysutils/lsof/work/lsof_4.70/lsof_4.70_src: OK
Examining .: OK
Examining ./dialects: OK
Examining ./dialects/aix: OK
Examining ./dialects/aix/aix5: OK
Examining ./dialects/aix/aix5/j2: OK
Examining ./dialects/bsdi: OK
Examining ./dialects/darwin: OK
Examining ./dialects/du: OK
Examining ./dialects/freebsd: OK
Examining ./dialects/freebsd/include: OK
Examining ./dialects/freebsd/include/procfs: OK
Examining ./dialects/hpux: OK
Examining ./dialects/hpux/kmem: OK
Examining ./dialects/hpux/kmem/hpux11: OK
Examining ./dialects/hpux/pstat: OK
Examining ./dialects/linux: OK
Examining ./dialects/n+obsd: OK
Examining ./dialects/n+os: OK
Examining ./dialects/osr: OK
Examining ./dialects/osr/include: OK
Examining ./dialects/osr/include/sys: OK
Examining ./dialects/ou: OK
Examining ./dialects/ou/ou8: OK
Examining ./dialects/ou/ou8/sys: OK
Examining ./dialects/ou/ou8/sys/fs: OK
Examining ./dialects/ou/ou8/vm: OK
Examining ./dialects/sun: OK
Examining ./dialects/sun/include: OK
Examining ./dialects/sun/include/sys: OK
Examining ./dialects/uw: OK
Examining ./dialects/uw/uw21: OK
Examining ./dialects/uw/uw21/fs: OK
Examining ./dialects/uw/uw21/fs/proc: OK
Examining ./dialects/uw/uw21/fs/procfs: OK
Examining ./dialects/uw/uw21/sys: OK
Examining ./dialects/uw/uw21/sys/fs: OK
Examining ./dialects/uw/uw21/vm: OK
Examining ./dialects/uw/uw7: OK
Examining ./dialects/uw/uw7/fs: OK
Examining ./dialects/uw/uw7/fs/nsc_cfs: OK
Examining ./dialects/uw/uw7/fs/procfs: OK
Examining ./dialects/uw/uw7/sys: OK
Examining ./dialects/uw/uw7/sys/fs: OK
Examining ./dialects/uw/uw7/vm: OK
Examining ./lib: OK
Examining ./scripts: OK
Examining ./tests: OK

This lsof distribution seems to be complete.

===> Patching for lsof-4.70
===> Applying FreeBSD patches for lsof-4.70
===> Configuring for lsof-4.70
rm -f ddev.c dfile.c dlsof.h dmnt.c dnode*.c dproc.c dproto.h dsock.c dstore.c kernelbase.h machine.h machine.h.old new_machine.h __lseek.s Makefile ./tests/config.cflags
rm -f ./tests/config.cc ./tests/config.xobj ./tests/config.ldflags
ln -s dialects/freebsd/dlsof.h dlsof.h
ln -s dialects/freebsd/dmnt.c dmnt.c
ln -s dialects/freebsd/dnode.c dnode.c
ln -s dialects/freebsd/dnode1.c dnode1.c
ln -s dialects/freebsd/dproc.c dproc.c
ln -s dialects/freebsd/dproto.h dproto.h
ln -s dialects/freebsd/dsock.c dsock.c
ln -s dialects/freebsd/dstore.c dstore.c
ln -s dialects/freebsd/machine.h machine.h
Makefile and lib/Makefile created.
./tests/config.cc created
./tests/config.cflags created
./tests/config.ldflags created
./tests/config.xobj created
===> Building for lsof-4.70
(cd lib; make DEBUG="-O" CFGF="-pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR=\"5.2.1-RC2\"")
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR="5.2.1-RC2" -I/usr/src/sys -O -c ckkv.c
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR="5.2.1-RC2" -I/usr/src/sys -O -c cvfs.c
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR="5.2.1-RC2" -I/usr/src/sys -O -c dvch.c
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR="5.2.1-RC2" -I/usr/src/sys -O -c fino.c
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR="5.2.1-RC2" -I/usr/src/sys -O -c isfn.c
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR="5.2.1-RC2" -I/usr/src/sys -O -c lkud.c
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR="5.2.1-RC2" -I/usr/src/sys -O -c pdvn.c
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR="5.2.1-RC2" -I/usr/src/sys -O -c prfp.c
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR="5.2.1-RC2" -I/usr/src/sys -O -c ptti.c
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR="5.2.1-RC2" -I/usr/src/sys -O -c rdev.c
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR="5.2.1-RC2" -I/usr/src/sys -O -c regex.c
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR="5.2.1-RC2" -I/usr/src/sys -O -c rmnt.c
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR="5.2.1-RC2" -I/usr/src/sys -O -c rnam.c
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR="5.2.1-RC2" -I/usr/src/sys -O -c rnch.c
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR="5.2.1-RC2" -I/usr/src/sys -O -c rnmh.c
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR="5.2.1-RC2" -I/usr/src/sys -O -c snpf.c
ar cr liblsof.a ckkv.o cvfs.o dvch.o fino.o isfn.o lkud.o pdvn.o prfp.o ptti.o rdev.o regex.o rmnt.o rnam.o rnch.o rnmh.o snpf.o
ranlib liblsof.a
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR=\"5.2.1-RC2\" -I/usr/src/sys -O -c dmnt.c
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR=\"5.2.1-RC2\" -I/usr/src/sys -O -c dnode.c
dnode.c: In function `process_node':
dnode.c:583: error: `pn' undeclared (first use in this function)
dnode.c:583: error: (Each undeclared identifier is reported only once
dnode.c:583: error: for each function it appears in.)
dnode.c:589: error: `pnp' undeclared (first use in this function)
*** Error code 1

Stop in /usr/ports/sysutils/lsof/work/lsof_4.70/lsof_4.70_src.
*** Error code 1

Stop in /usr/ports/sysutils/lsof.
lsof: Command not found.
/usr/ports/sysutils/lsof%cd /usr/ports/sysutils/lsof; make install clean; lsof -i
===> Building for lsof-4.70
(cd lib; make DEBUG="-O" CFGF="-pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR=\"5.2.1-RC2\"")
cc -pipe -mcpu=pentiumpro -mcpu=pentiumpro -DFREEBSDV=520 -DHASFDESCFS=2 -DHASNULLFS -DHASIPv6 -DLSOF_VSTR=\"5.2.1-RC2\" -I/usr/src/sys -O -c dnode.c
dnode.c: In function `process_node':
dnode.c:583: error: `pn' undeclared (first use in this function)
dnode.c:583: error: (Each undeclared identifier is reported only once
dnode.c:583: error: for each function it appears in.)
dnode.c:589: error: `pnp' undeclared (first use in this function)
*** Error code 1

Stop in /usr/ports/sysutils/lsof/work/lsof_4.70/lsof_4.70_src.
*** Error code 1

Stop in /usr/ports/sysutils/lsof.
lsof: Command not found.


Das wars, danach wurde die Installation abgebrochen.

Wie aus dem Link von Lars hervozugehen scheint, könnte da auch ein Fehler bei chkrootkit vorliegen.............

 

[j_t]

Wenn die 3 ominösen Prozesse auf den TCP-Ports wissentlich von Dir stammen

tcp4 0 0 *.3333 *.* LISTEN
tcp4 0 0 *.20000 *.* LISTEN
tcp4 0 0 *.10000 *.* LISTEN

und Du selbst einen eggdrop laufen läßt, so scheint alles ok zu sein.
Ein "lsof" würde übrigens noch fein alle offenen Files zeigen.

 

[scup]

Hallo nochmal,

ja, jetzt wo Du es schreibst...............stimmt, Usermin, Webmin und der gute Eggdrop sind das

Das ist also dann ok

Warum das installieren von dem Programm fehlgeschlagen ist, wudert mich allerdings schon

 

[j_t]

lsof kann ab und an schon mal nicht kompilieren, da es recht nah am System arbeitet und nicht ständig aktualisiert wird.
fstat, erfüllt in etwa den selben Zweck und gehört zum System.

 

[scup]

Hi,

nun habe ich es nochmal direkt vom Rechner selber probiert, also ohne putty, und die Installation lief reibungslos durch

Das Ergebnis von lsof -i lautet wie folgt:

freebsd# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhclient 216 root 4u IPv4 0xc56b2654 0t0 UDP *:bootpc
syslogd 275 root 4u IPv6 0xc56b2438 0t0 UDP *:syslog
syslogd 275 root 5u IPv4 0xc56b24ec 0t0 UDP *:syslog
perl 391 root 4u IPv4 0xc5705000 0t0 TCP *:10000 (LISTEN)
perl 391 root 5u IPv4 0xc56b2708 0t0 UDP *:10000
perl 393 root 3u IPv4 0xc5704e60 0t0 TCP *:20000 (LISTEN)
perl 393 root 4u IPv4 0xc56b27bc 0t0 UDP *:20000
sshd 427 root 3u IPv6 0xc5704cf0 0t0 TCP *:ssh
sshd 427 root 4u IPv4 0xc5704b80 0t0 TCP *:ssh (LISTEN)
sendmail 432 root 4u IPv4 0xc5704730 0t0 TCP *:smtp (LISTEN)
sendmail 432 root 5u IPv4 0xc57045c0 0t0 TCP *:submission (LISTEN)
httpd 468 root 3u IPv6 0xc57042e0 0t0 TCP *:http
mysqld 508 mysql 5u IPv4 0xc5704000 0t0 TCP *:3306 (LISTEN)
httpd 547 www 3u IPv6 0xc57042e0 0t0 TCP *:http
httpd 548 www 3u IPv6 0xc57042e0 0t0 TCP *:http
httpd 549 www 3u IPv6 0xc57042e0 0t0 TCP *:http
httpd 550 www 3u IPv6 0xc57042e0 0t0 TCP *:http
httpd 551 www 3u IPv6 0xc57042e0 0t0 TCP *:http
httpd 552 www 3u IPv6 0xc57042e0 0t0 TCP *:http
httpd 566 www 3u IPv6 0xc57042e0 0t0 TCP *:http
sshd 16557 root 5u IPv4 0xc5704450 0t0 TCP freebsd:ssh->192.168.0
.2:1743 (ESTABLISHED)

Achja,

hier nochmal die komplette Checkliste von chkrootkit, wo angeblich "date" schon infiziert wurde !!!

ROOTDIR is `/'
Checking `amd'... not infected
Checking `basename'... not infected
Checking `biff'... not infected
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... INFECTED
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not tested
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not found
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not found
Checking `rpcinfo'... not infected
Checking `rlogind'... not infected
Checking `rshd'... not infected
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not infected
Checking `traceroute'... not infected
Checking `vdir'... not found
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... nothing found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... nothing found
Searching for Suckit rootkit ... nothing found
Searching for Volc rootkit ... nothing found
Searching for Gold2 rootkit ... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have 14 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... rl0 is not promisc
Checking `w55808'... not infected
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... nothing deleted