From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-129395-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1RBpeC-0007is-3J
	for garchives@archives.gentoo.org; Thu, 06 Oct 2011 15:14:08 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 63D4621C1A2;
	Thu,  6 Oct 2011 15:13:49 +0000 (UTC)
Received: from mail-bw0-f53.google.com (mail-bw0-f53.google.com [209.85.214.53])
	by pigeon.gentoo.org (Postfix) with ESMTP id 0DCEB21C152
	for <gentoo-user@lists.gentoo.org>; Thu,  6 Oct 2011 15:12:04 +0000 (UTC)
Received: by bkbzt12 with SMTP id zt12so4415604bkb.40
        for <gentoo-user@lists.gentoo.org>; Thu, 06 Oct 2011 08:12:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=OnqjjfYvBGkR0M+6HaWXerpnxvgnKa7cAIiv/k8Akng=;
        b=Q5Ca4u3BwJ1msa8vxXWd87st3LeR3aWfSKVesvwvQrGwkwtNv5BsR2SxrVa8/XfQ4B
         0RDSDYu1nneQmJ3uRU/R91w2LfFqEpyOndNrFo9DuXGqVepS18XkgaTyE9sqhen8iRZA
         NNpq040/QoEtdVUDHHYTc0IBIvhaQY1ugv+Yg=
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.204.136.71 with SMTP id q7mr654559bkt.77.1317913923985; Thu,
 06 Oct 2011 08:12:03 -0700 (PDT)
Received: by 10.204.177.199 with HTTP; Thu, 6 Oct 2011 08:12:03 -0700 (PDT)
In-Reply-To: <CA+czFiBBiCkgMZRTZrUpDZAYru8U9RHGUPZ7jCSjJ-RUMYeoPg@mail.gmail.com>
References: <4E8DC2B6.1000105@nileshgr.com>
	<CA+czFiBBiCkgMZRTZrUpDZAYru8U9RHGUPZ7jCSjJ-RUMYeoPg@mail.gmail.com>
Date: Thu, 6 Oct 2011 11:12:03 -0400
Message-ID: <CA+czFiAuRvvQ1vSF9=J_+BYdL-qXidfMn3-VpjyPGF4zFLHNJA@mail.gmail.com>
Subject: Re: [gentoo-user] Rootkit?
From: Michael Mol <mikemol@gmail.com>
To: gentoo-user@lists.gentoo.org
Content-Type: text/plain; charset=UTF-8
X-Archives-Salt: 
X-Archives-Hash: 82403a4fcdd018def63cdfd20a270f2f

On Thu, Oct 6, 2011 at 11:10 AM, Michael Mol <mikemol@gmail.com> wrote:
> On Thu, Oct 6, 2011 at 11:01 AM, Nilesh Govindarajan
> <contact@nileshgr.com> wrote:
>> One of the servers I manage has a strange problem.
>>
>> Every 24h, someone starts a process shows up as perl in the list, but
>> launching command is /usr/sbin/httpd.
>> It shows just one process, but when I run something like this:
>>
>> ps -C perl -o cmd,pid
>>
>> I get some 5-6 processes alternatively with cmd as /usr/sbin/httpd or
>> /usr/bin/perl.
>>
>> The even more interesting thing is, /usr/sbin/httpd does not exist.
>> I suspect a rootkit, but chkrootkit & rkhunter reported nothing.
>>
>> Also, I found a mysterious file: /tmp/ips.txt with following content:
>> xxx.xxx.xxx.xxx
>> 127.0.0.1
>> addr:xxx.xxx.xxx.xxx
>> addr:
>> addr:127.0.0.1
>> addr:
>>
>> Somebody is aware of a malware/rootkit which creates such files?
>
> No direct experience with Linux rootkits, but you might have better
> luck if you run a statically-linked copy of busybox that can talk to
> the kernel, rather than going through a potentially malicious libc.
>
> Is this a server running Gentoo or some other distro?

Mm. Something else. A process is allowed to modify its argv[0], which
changes what you see when you run commands like 'ps'. However, if you
take a look at what's in /proc for the PID in question, you might be
able get a better idea of the file's origin.


-- 
:wq