initsys prozess / rootkit? trojan?
Does someone know what this 'initsys' process is good for? I've never seen in on any of my systems before. Could it be part of a rootkit? I found the binary in /usr/bin/initsys thanks in advance Robert USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.2 0.0 448 64 ? S 01:05 0:07 init [5] root 2 0.0 0.0 0 0 ? SW 01:05 0:00 [keventd] root 3 0.0 0.0 0 0 ? SW 01:05 0:00 [kapmd] root 4 0.0 0.0 0 0 ? SWN 01:05 0:00 [ksoftirqd_CPU0] root 5 0.0 0.0 0 0 ? SW 01:05 0:00 [kswapd] root 6 0.0 0.0 0 0 ? SW 01:05 0:00 [bdflush] root 7 0.0 0.0 0 0 ? SW 01:05 0:00 [kupdated] root 10 0.0 0.0 0 0 ? SW< 01:05 0:00 [mdrecoveryd] root 14 0.0 0.0 0 0 ? DW 01:05 0:00 [hpt_wt] root 15 0.0 0.0 0 0 ? SW 01:05 0:00 [kreiserfsd] root 23 0.0 0.2 1312 332 ? S 01:05 0:00 initsys root 256 0.0 0.5 1840 640 ? S 01:05 0:00 /usr/sbin/apmd root 410 0.0 0.5 1408 640 ? S 01:05 0:00 /sbin/syslogd root 413 0.0 0.8 1904 1116 ? S 01:05 0:00 /sbin/klogd -c 1 root 449 0.0 0.0 0 0 ? SW 01:05 0:00 [khubd] bin 693 0.0 0.3 1344 404 ? S 01:05 0:00 /sbin/portmap .....
Hi, try lsof | egrep 'initsys|<PID OF initsys>' That'll give you an idea of what it is doing. Regrds Dan Am Montag, 2. Juni 2003 02:56 schrieb Robert Schelander:
Does someone know what this 'initsys' process is good for? I've never seen in on any of my systems before. Could it be part of a rootkit? I found the binary in /usr/bin/initsys
thanks in advance Robert
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.2 0.0 448 64 ? S 01:05 0:07 init [5] root 2 0.0 0.0 0 0 ? SW 01:05 0:00 [keventd] root 3 0.0 0.0 0 0 ? SW 01:05 0:00 [kapmd] root 4 0.0 0.0 0 0 ? SWN 01:05 0:00 [ksoftirqd_CPU0] root 5 0.0 0.0 0 0 ? SW 01:05 0:00 [kswapd] root 6 0.0 0.0 0 0 ? SW 01:05 0:00 [bdflush] root 7 0.0 0.0 0 0 ? SW 01:05 0:00 [kupdated] root 10 0.0 0.0 0 0 ? SW< 01:05 0:00 [mdrecoveryd] root 14 0.0 0.0 0 0 ? DW 01:05 0:00 [hpt_wt] root 15 0.0 0.0 0 0 ? SW 01:05 0:00 [kreiserfsd] root 23 0.0 0.2 1312 332 ? S 01:05 0:00 initsys root 256 0.0 0.5 1840 640 ? S 01:05 0:00 /usr/sbin/apmd root 410 0.0 0.5 1408 640 ? S 01:05 0:00 /sbin/syslogd root 413 0.0 0.8 1904 1116 ? S 01:05 0:00 /sbin/klogd -c 1 root 449 0.0 0.0 0 0 ? SW 01:05 0:00 [khubd] bin 693 0.0 0.3 1344 404 ? S 01:05 0:00 /sbin/portmap .....
-- buddha 2.4.20-4GB 9:37am up 5 days 21:01, 4 users,
Robert, rpm -qf /usr/bin/initsys may tell you something. If the file was not installed by any package you should be very suspicious. If it *was* installed by a package then check where it came from, e.g. rpm -qi packagename Bob On Mon, 2 Jun 2003, Robert Schelander wrote:
Does someone know what this 'initsys' process is good for? I've never seen in on any of my systems before. Could it be part of a rootkit? I found the binary in /usr/bin/initsys
thanks in advance Robert
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.2 0.0 448 64 ? S 01:05 0:07 init [5] root 2 0.0 0.0 0 0 ? SW 01:05 0:00 [keventd] root 3 0.0 0.0 0 0 ? SW 01:05 0:00 [kapmd] root 4 0.0 0.0 0 0 ? SWN 01:05 0:00 [ksoftirqd_CPU0] root 5 0.0 0.0 0 0 ? SW 01:05 0:00 [kswapd] root 6 0.0 0.0 0 0 ? SW 01:05 0:00 [bdflush] root 7 0.0 0.0 0 0 ? SW 01:05 0:00 [kupdated] root 10 0.0 0.0 0 0 ? SW< 01:05 0:00 [mdrecoveryd] root 14 0.0 0.0 0 0 ? DW 01:05 0:00 [hpt_wt] root 15 0.0 0.0 0 0 ? SW 01:05 0:00 [kreiserfsd] root 23 0.0 0.2 1312 332 ? S 01:05 0:00 initsys root 256 0.0 0.5 1840 640 ? S 01:05 0:00 /usr/sbin/apmd root 410 0.0 0.5 1408 640 ? S 01:05 0:00 /sbin/syslogd root 413 0.0 0.8 1904 1116 ? S 01:05 0:00 /sbin/klogd -c 1 root 449 0.0 0.0 0 0 ? SW 01:05 0:00 [khubd] bin 693 0.0 0.3 1344 404 ? S 01:05 0:00 /sbin/portmap .....
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
Hi there!
From my own experience, I guess, that initsys is part of a rootkit
I've a lot of trouble with my SuSE-7.3-server because of a rootkit (or something similar) - obviously it's a samba-worm, which also manipulates the smb.conf-file in /etc. Check out the modify time/date of the initsys. Also in /usr/bin, there might be a file updatefs with same time/date. On my system, also the login command and the ps command was changed... Regards, Wolfgang Eul On Mon, 2 Jun 2003, Robert Schelander wrote:
Does someone know what this 'initsys' process is good for? I've never seen in on any of my systems before. Could it be part of a rootkit? I found the binary in /usr/bin/initsys
thanks in advance Robert
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.2 0.0 448 64 ? S 01:05 0:07 init [5] root 2 0.0 0.0 0 0 ? SW 01:05 0:00 [keventd] root 3 0.0 0.0 0 0 ? SW 01:05 0:00 [kapmd] root 4 0.0 0.0 0 0 ? SWN 01:05 0:00 [ksoftirqd_CPU0] root 5 0.0 0.0 0 0 ? SW 01:05 0:00 [kswapd] root 6 0.0 0.0 0 0 ? SW 01:05 0:00 [bdflush] root 7 0.0 0.0 0 0 ? SW 01:05 0:00 [kupdated] root 10 0.0 0.0 0 0 ? SW< 01:05 0:00 [mdrecoveryd] root 14 0.0 0.0 0 0 ? DW 01:05 0:00 [hpt_wt] root 15 0.0 0.0 0 0 ? SW 01:05 0:00 [kreiserfsd] root 23 0.0 0.2 1312 332 ? S 01:05 0:00 initsys root 256 0.0 0.5 1840 640 ? S 01:05 0:00 /usr/sbin/apmd root 410 0.0 0.5 1408 640 ? S 01:05 0:00 /sbin/syslogd root 413 0.0 0.8 1904 1116 ? S 01:05 0:00 /sbin/klogd -c 1 root 449 0.0 0.0 0 0 ? SW 01:05 0:00 [khubd] bin 693 0.0 0.3 1344 404 ? S 01:05 0:00 /sbin/portmap .....
Bob Vickers wrote:
Robert,
rpm -qf /usr/bin/initsys may tell you something. If the file was not installed by any package you should be very suspicious. If it *was* installed by a package then check where it came from, e.g. rpm -qi packagename
according to the ARCHIVES, initsys is not a part of any suse package. So it must come from somewhere else (but it can still be installed via RPM). HTH Sven
Maybe you have somewhere a "clean" SuSE-system with the same "version"-number (7.3, 8.0...)?! - Then you could try chkrootkit (http://www.chkrootkit.org/): - compile it on the clean system - take the needed binaries (awk cut echo egrep find head id ls netstat ps sed strings uname) for chkrootkit from this system and put everything into an image-file (1,4MB, floppy-size: dd if=/dev/zero of=chkrootkit.img bs=1024 count=1500; /sbin/mkfs.ext2 chkrootkit.img; mount -o loop chkrootkit.img /mnt), you use a bin-directory - ls -l /mnt gives you than something like that: drwxr-xr-x 4 root root 1024 Feb 26 11:00 . drwx------ 22 root root 4096 Jun 2 11:26 .. -r--r--r-- 1 root root 2985 Feb 26 11:00 ACKNOWLEDGMENTS -r--r--r-- 1 root root 1343 Feb 26 11:00 COPYRIGHT -r--r--r-- 1 root root 1421 Feb 26 11:00 Makefile -r--r--r-- 1 root root 11279 Feb 26 11:00 README -r--r--r-- 1 root root 1323 Feb 26 11:00 README.chklastlog -r--r--r-- 1 root root 1292 Feb 26 11:00 README.chkwtmp drwxr-xr-x 2 root root 1024 Jun 8 2002 bin -rwxr-xr-x 1 root root 2444 Feb 26 11:00 check_wtmpx -r--r--r-- 1 root root 7191 Feb 26 11:00 check_wtmpx.c -rwxr-xr-x 1 root root 5828 Feb 26 11:00 chkdirs -r--r--r-- 1 root root 6680 Feb 26 11:00 chkdirs.c -rwxr-xr-x 1 root root 6448 Feb 26 11:00 chklastlog -r--r--r-- 1 root root 7746 Feb 26 11:00 chklastlog.c -rwxr-xr-x 1 root root 5864 Feb 26 11:00 chkproc -r--r--r-- 1 root root 4976 Feb 26 11:00 chkproc.c -r-xr--r-- 1 root root 59470 Feb 26 11:00 chkrootkit -r--r--r-- 1 root root 553 Feb 26 11:00 chkrootkit.lsm -rwxr-xr-x 1 root root 3672 Feb 26 11:00 chkwtmp -r--r--r-- 1 root root 1945 Feb 26 11:00 chkwtmp.c -rwxr-xr-x 1 root root 4056 Feb 26 11:00 ifpromisc -r--r--r-- 1 root root 3358 Feb 26 11:00 ifpromisc.c drwxr-xr-x 2 root root 12288 Jun 8 2002 lost+found -rwxr-xr-x 1 root root 376968 Feb 26 11:00 strings -r--r--r-- 1 root root 2437 Feb 26 11:00 strings.c - umount /mnt - put the image-file to the compromised system - mount it there (mount -o loop chkrootkit.img /mnt) - cd /mnt - ./chkrootkit -p /mnt/bin (bin is the directory where awk, cut etc. are) If you trust me, I may send you an chkrootkit image for SuSE 7.3, 8.0 and 8.1... ;-> On Montag, 2. Juni 2003 02:56, Robert Schelander wrote:
Does someone know what this 'initsys' process is good for? I've never seen in on any of my systems before. Could it be part of a rootkit? I found the binary in /usr/bin/initsys
thanks in advance Robert
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.2 0.0 448 64 ? S 01:05 0:07 init [5] root 2 0.0 0.0 0 0 ? SW 01:05 0:00 [keventd] root 3 0.0 0.0 0 0 ? SW 01:05 0:00 [kapmd] root 4 0.0 0.0 0 0 ? SWN 01:05 0:00 [ksoftirqd_CPU0] root 5 0.0 0.0 0 0 ? SW 01:05 0:00 [kswapd] root 6 0.0 0.0 0 0 ? SW 01:05 0:00 [bdflush] root 7 0.0 0.0 0 0 ? SW 01:05 0:00 [kupdated] root 10 0.0 0.0 0 0 ? SW< 01:05 0:00 [mdrecoveryd] root 14 0.0 0.0 0 0 ? DW 01:05 0:00 [hpt_wt] root 15 0.0 0.0 0 0 ? SW 01:05 0:00 [kreiserfsd] root 23 0.0 0.2 1312 332 ? S 01:05 0:00 initsys root 256 0.0 0.5 1840 640 ? S 01:05 0:00 /usr/sbin/apmd root 410 0.0 0.5 1408 640 ? S 01:05 0:00 /sbin/syslogd root 413 0.0 0.8 1904 1116 ? S 01:05 0:00 /sbin/klogd -c 1 root 449 0.0 0.0 0 0 ? SW 01:05 0:00 [khubd] bin 693 0.0 0.3 1344 404 ? S 01:05 0:00 /sbin/portmap .....
-- Eat, sleep and go running, David Huecking. Encrypted eMail welcome! GnuPG/ PGP-Key: 0x57809216. Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216
Maybe you have somewhere a "clean" SuSE-system with the same "version"-number (7.3, 8.0...)?! A good example of a clean system is the SuSE evaluation-live-cd. Pretty convenient thingy, I must say, and very much functional, too (especially the latest, 8.2 - has all one usually needs,
Hi,
--- David Huecking
i've checked the whole thing - initsys is really part of rootkit - all my firewall rules were down - chkrootkit finds inetd infected, and detects a hidden process... reports an LKM my smb.conf: hosts deny = ALL EXCEPT ip1.ip2.255.255 whatever this strange syntax means it doesn't look good :) - syslogd was modified that it doesn't log anything - crontab did not work so I have to install everything from scratch.... any hints are welcome to make my new system better. i need it as an apache webserver with ssh for administration and proftpd for uploads. a friend told me to use openbsd since it's more secure than linux. I don't know whether this is true, but at the moment I've too less experience with other OS to take anything other than linux for servers. thanks for your help robert
On Monday 02 June 2003 19:03, Robert Schelander wrote:
i've checked the whole thing
- initsys is really part of rootkit - all my firewall rules were down - chkrootkit finds inetd infected, and detects a hidden process... reports an LKM my smb.conf: hosts deny = ALL EXCEPT ip1.ip2.255.255 whatever this strange syntax means it doesn't look good :) - syslogd was modified that it doesn't log anything - crontab did not work
so I have to install everything from scratch....
any hints are welcome to make my new system better. i need it as an apache webserver with ssh for administration and proftpd for uploads. a friend told me to use openbsd since it's more secure than linux. I don't know whether this is true, but at the moment I've too less experience with other OS to take anything other than linux for servers.
thanks for your help robert
First, disconnect the machine from the network/internet. I do not remember, but did you describe your box? What version of software, updates and patches applied? firewall rules (or, for you, I would suggest using one of SuSE's firewall scripts). For suggestions to be made there needs to be a basis. Also, if you are only using this for Apache and ftp then you should do a fairly minimal install. No X/KDE/etc. Why are you using Samba? Again, it should not be installed if you only need Apache and ftp. If you need to transfer files then you can use ftp and then move them around through your ssh connection. Jim
Hi!
any hints are welcome to make my new system better.
You might want to look at the grsecurity kernel patch. It makes the expoitation of buffer overflows much more difficult and gives some other security improvements as well. Stefan -- Technische Universitaet Muenchen Raum: 1131 Physik-Department T39 Tel.: 089/289-12197 James-Franck-Strasse E-Mail: sfritsch@ph.tum.de D-85748 Garching
participants (9)
-
Bob Vickers
-
Dan Am
-
David Huecking
-
Eduard Avetisyan
-
James Bliss
-
Robert Schelander
-
Stefan Fritsch
-
Sven 'Darkman' Michels
-
Wolfgang Eul