Maybe you have somewhere a "clean" SuSE-system with the same "version"-number (7.3, 8.0...)?! - Then you could try chkrootkit (http://www.chkrootkit.org/): - compile it on the clean system - take the needed binaries (awk cut echo egrep find head id ls netstat ps sed strings uname) for chkrootkit from this system and put everything into an image-file (1,4MB, floppy-size: dd if=/dev/zero of=chkrootkit.img bs=1024 count=1500; /sbin/mkfs.ext2 chkrootkit.img; mount -o loop chkrootkit.img /mnt), you use a bin-directory - ls -l /mnt gives you than something like that: drwxr-xr-x 4 root root 1024 Feb 26 11:00 . drwx------ 22 root root 4096 Jun 2 11:26 .. -r--r--r-- 1 root root 2985 Feb 26 11:00 ACKNOWLEDGMENTS -r--r--r-- 1 root root 1343 Feb 26 11:00 COPYRIGHT -r--r--r-- 1 root root 1421 Feb 26 11:00 Makefile -r--r--r-- 1 root root 11279 Feb 26 11:00 README -r--r--r-- 1 root root 1323 Feb 26 11:00 README.chklastlog -r--r--r-- 1 root root 1292 Feb 26 11:00 README.chkwtmp drwxr-xr-x 2 root root 1024 Jun 8 2002 bin -rwxr-xr-x 1 root root 2444 Feb 26 11:00 check_wtmpx -r--r--r-- 1 root root 7191 Feb 26 11:00 check_wtmpx.c -rwxr-xr-x 1 root root 5828 Feb 26 11:00 chkdirs -r--r--r-- 1 root root 6680 Feb 26 11:00 chkdirs.c -rwxr-xr-x 1 root root 6448 Feb 26 11:00 chklastlog -r--r--r-- 1 root root 7746 Feb 26 11:00 chklastlog.c -rwxr-xr-x 1 root root 5864 Feb 26 11:00 chkproc -r--r--r-- 1 root root 4976 Feb 26 11:00 chkproc.c -r-xr--r-- 1 root root 59470 Feb 26 11:00 chkrootkit -r--r--r-- 1 root root 553 Feb 26 11:00 chkrootkit.lsm -rwxr-xr-x 1 root root 3672 Feb 26 11:00 chkwtmp -r--r--r-- 1 root root 1945 Feb 26 11:00 chkwtmp.c -rwxr-xr-x 1 root root 4056 Feb 26 11:00 ifpromisc -r--r--r-- 1 root root 3358 Feb 26 11:00 ifpromisc.c drwxr-xr-x 2 root root 12288 Jun 8 2002 lost+found -rwxr-xr-x 1 root root 376968 Feb 26 11:00 strings -r--r--r-- 1 root root 2437 Feb 26 11:00 strings.c - umount /mnt - put the image-file to the compromised system - mount it there (mount -o loop chkrootkit.img /mnt) - cd /mnt - ./chkrootkit -p /mnt/bin (bin is the directory where awk, cut etc. are) If you trust me, I may send you an chkrootkit image for SuSE 7.3, 8.0 and 8.1... ;-> On Montag, 2. Juni 2003 02:56, Robert Schelander wrote:
Does someone know what this 'initsys' process is good for? I've never seen in on any of my systems before. Could it be part of a rootkit? I found the binary in /usr/bin/initsys
thanks in advance Robert
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.2 0.0 448 64 ? S 01:05 0:07 init [5] root 2 0.0 0.0 0 0 ? SW 01:05 0:00 [keventd] root 3 0.0 0.0 0 0 ? SW 01:05 0:00 [kapmd] root 4 0.0 0.0 0 0 ? SWN 01:05 0:00 [ksoftirqd_CPU0] root 5 0.0 0.0 0 0 ? SW 01:05 0:00 [kswapd] root 6 0.0 0.0 0 0 ? SW 01:05 0:00 [bdflush] root 7 0.0 0.0 0 0 ? SW 01:05 0:00 [kupdated] root 10 0.0 0.0 0 0 ? SW< 01:05 0:00 [mdrecoveryd] root 14 0.0 0.0 0 0 ? DW 01:05 0:00 [hpt_wt] root 15 0.0 0.0 0 0 ? SW 01:05 0:00 [kreiserfsd] root 23 0.0 0.2 1312 332 ? S 01:05 0:00 initsys root 256 0.0 0.5 1840 640 ? S 01:05 0:00 /usr/sbin/apmd root 410 0.0 0.5 1408 640 ? S 01:05 0:00 /sbin/syslogd root 413 0.0 0.8 1904 1116 ? S 01:05 0:00 /sbin/klogd -c 1 root 449 0.0 0.0 0 0 ? SW 01:05 0:00 [khubd] bin 693 0.0 0.3 1344 404 ? S 01:05 0:00 /sbin/portmap .....
-- Eat, sleep and go running, David Huecking. Encrypted eMail welcome! GnuPG/ PGP-Key: 0x57809216. Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216