June 2003 - openSUSE Security - openSUSE Mailing Lists

AW: [suse-security] initsys prozess / rootkit? trojan?
by Wanning, Mike 02 Jun '03

02 Jun '03

Hi Robert, Hi List, I've found some Informations about initsys: www.giac.org/practical/Edmo_Filho_GCIH.doc says: "initsys is a session hijacking tool that can be remotely connected by using another session hijacking tool called Hunt." Mike Wanning > -----Ursprüngliche Nachricht----- > Von: Robert Schelander [mailto:rschelander@aon.at] > Gesendet: Montag, 2. Juni 2003 02:57 > An: suse-security(a)suse.com > Betreff: [suse-security] initsys prozess / rootkit? trojan? > > > Does someone know what this 'initsys' process is good for? > I've never seen > in on any of my systems before. Could it be part of a > rootkit? I found the > binary in /usr/bin/initsys > > thanks in advance > Robert > > > USER PID %CPU %MEM VSZ RSS TTY STAT START > TIME COMMAND > root 1 0.2 0.0 448 64 ? S 01:05 > 0:07 init [5] > root 2 0.0 0.0 0 0 ? SW 01:05 > 0:00 [keventd] > root 3 0.0 0.0 0 0 ? SW 01:05 > 0:00 [kapmd] > root 4 0.0 0.0 0 0 ? SWN 01:05 0:00 > [ksoftirqd_CPU0] > root 5 0.0 0.0 0 0 ? SW 01:05 > 0:00 [kswapd] > root 6 0.0 0.0 0 0 ? SW 01:05 > 0:00 [bdflush] > root 7 0.0 0.0 0 0 ? SW 01:05 > 0:00 [kupdated] > root 10 0.0 0.0 0 0 ? SW< 01:05 0:00 > [mdrecoveryd] > root 14 0.0 0.0 0 0 ? DW 01:05 > 0:00 [hpt_wt] > root 15 0.0 0.0 0 0 ? SW 01:05 > 0:00 [kreiserfsd] > root 23 0.0 0.2 1312 332 ? S 01:05 > 0:00 initsys > root 256 0.0 0.5 1840 640 ? S 01:05 0:00 > /usr/sbin/apmd > root 410 0.0 0.5 1408 640 ? S 01:05 0:00 > /sbin/syslogd > root 413 0.0 0.8 1904 1116 ? S 01:05 0:00 > /sbin/klogd -c 1 > root 449 0.0 0.0 0 0 ? SW 01:05 > 0:00 [khubd] > bin 693 0.0 0.3 1344 404 ? S 01:05 0:00 > /sbin/portmap > ..... > > > > -- > Check the headers for your unsubscription address > For additional commands, e-mail: suse-security-help(a)suse.com > Security-related bug reports go to security(a)suse.de, not here > Gesendet über Mailserver: begros.de! Trotz sorgfältiger Virenprüfung können wir für eventuelle Schäden, die durch nicht erkannte Computerviren entstehen, keine Haftung übernehmen.

1 0

AW: [suse-security] initsys prozess / rootkit? trojan?
by Gerhard Stegmann 02 Jun '03

02 Jun '03

hi there. just a suggestion : your initsys-process seems to have come up together with the other ones ( 01:05 ). so maybe you can find an initscript somewhere that starts it ? as pid is higher than the one of reserfsd, it should be startet somewhere after it. what does pstree say ? does this help ? -----Ursprüngliche Nachricht----- Von: Robert Schelander [mailto:rschelander@aon.at] Gesendet: Montag, 2. Juni 2003 02:57 An: suse-security(a)suse.com Betreff: [suse-security] initsys prozess / rootkit? trojan? Does someone know what this 'initsys' process is good for? I've never seen in on any of my systems before. Could it be part of a rootkit? I found the binary in /usr/bin/initsys thanks in advance Robert USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.2 0.0 448 64 ? S 01:05 0:07 init [5] root 2 0.0 0.0 0 0 ? SW 01:05 0:00 [keventd] root 3 0.0 0.0 0 0 ? SW 01:05 0:00 [kapmd] root 4 0.0 0.0 0 0 ? SWN 01:05 0:00 [ksoftirqd_CPU0] root 5 0.0 0.0 0 0 ? SW 01:05 0:00 [kswapd] root 6 0.0 0.0 0 0 ? SW 01:05 0:00 [bdflush] root 7 0.0 0.0 0 0 ? SW 01:05 0:00 [kupdated] root 10 0.0 0.0 0 0 ? SW< 01:05 0:00 [mdrecoveryd] root 14 0.0 0.0 0 0 ? DW 01:05 0:00 [hpt_wt] root 15 0.0 0.0 0 0 ? SW 01:05 0:00 [kreiserfsd] root 23 0.0 0.2 1312 332 ? S 01:05 0:00 initsys root 256 0.0 0.5 1840 640 ? S 01:05 0:00 /usr/sbin/apmd root 410 0.0 0.5 1408 640 ? S 01:05 0:00 /sbin/syslogd root 413 0.0 0.8 1904 1116 ? S 01:05 0:00 /sbin/klogd -c 1 root 449 0.0 0.0 0 0 ? SW 01:05 0:00 [khubd] bin 693 0.0 0.3 1344 404 ? S 01:05 0:00 /sbin/portmap ..... -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help(a)suse.com Security-related bug reports go to security(a)suse.de, not here

1 0

obsolete (PF_INET,SOCK_PACKET)
by webmaster 02 Jun '03

02 Jun '03

Hi List, Is the err below harmless? And what a way to cure it? SuSe 7.1 box scanlogd uses obsolete (PF_INET,SOCK_PACKET) Thanks Antal Kreorg Oktatóközpont Grid International Magyarország kreorg(a)kreorg.hu +36-1-321-0031

2 1

encrypted device?!
by Markus Hochmann 02 Jun '03

02 Jun '03

Hello, I would like to know something about the encrypted devices (losetup) [1] : -Which algorithmus is the securest? -How do I get to know how many bits are used for encryption? -How secure is this at all? (Password in RAM/ on swap?; BF-attack?; very big partitions ~100GB) -Can the swap be randomly encrypted? (So nobody can read it after restart.) Greets, Markus [1] german: http://www.suse.de/de/private/support/howto/crypto/ english: http://sdb.suse.de/en/sdb/html/jsj_crypto_filesystem_mini_howto.html

3 2

Re: [SLE] How to look at the SRPMS source code without recompiling?
by fabio de francesco 02 Jun '03

02 Jun '03

> > Install it with rpm -i, and look in /usr/src/packages/{SOURCES,SPECS} > Are you sure that "rpm -i *src.rpm" won't compile and install the binaries? Thanks.

3 2

Protection against synfloods and portscans
by Ruprecht Helms 01 Jun '03

01 Jun '03

Hi, how can I protect a firewall against syn-floods and normal port-scans via iptable-rule(s)? Regards, Ruprecht

1 0

SuSEfirewall2
by Greg Jamison 01 Jun '03

01 Jun '03

Hello, I am new to the SuSEfirewall, but have quite a bit of experience with iptables. There are a few rules I used in iptables that I can't seem to find equivalents for with the SuSEfirewall. Specifically the following: -A INPUT -i eth0 -p tcp --syn -j DROP (This drops all TCP syn packets received on eth0) -A INPUT -i eth0 -p tcp -m state --state INVALID,NEW -j DROP (This drops any TCP traffic received on eth0 not generated by my firewall or internal network) Is there any way I can accomplish the same with the SuSEfirewall? Any help is greatly appreciated. Thanks! Greg Jamison

2 1