LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 04-10-2004, 02:11 PM   #1
herc
Member
 
Registered: Jul 2003
Posts: 90

Rep: Reputation: 15
Weird restart?


Hmm, my computer had restarted itself last night and I have no idea why.
This is what is logged:

...
Apr 10 01:45:55 warmachine -- MARK --
Apr 10 02:04:29 warmachine sshd[22900]: Accepted password for * from ::ffff:* port 18308 ssh2
Apr 10 02:04:29 warmachine sshd[22902]: subsystem request for sftp
Apr 10 02:16:21 warmachine sshd[22908]: Accepted password for * from ::ffff:* port 18161 ssh2
Apr 10 02:16:22 warmachine sshd[22910]: subsystem request for sftp
Apr 10 01:36:45 warmachine syslogd 1.4.1: restart.
Apr 10 01:36:46warmachine kernel: klogd 1.4.1, log source = /proc/kmsg started.
Apr 10 01:36:46 warmachine kernel: BIOS-provided physical RAM map:
Apr 10 01:36:46 warmachine kernel: 511MB LOWMEM available.
...

What might have caused the restart? And whats up with the timestamps, 02:xx before 01:xx ?
 
Old 04-10-2004, 03:34 PM   #2
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
hmmm...that doesn't look good at all. Run chkrootkit to see if you have been rooted. Often times the machine is rebooted to get the rootkit working.
 
Old 04-10-2004, 05:00 PM   #3
herc
Member
 
Registered: Jul 2003
Posts: 90

Original Poster
Rep: Reputation: 15
Ok, im not too familiar with chkrootkit so what am i looking for in the output?

Btw. the user who logged in was me.

Last edited by herc; 04-10-2004 at 05:02 PM.
 
Old 04-10-2004, 05:06 PM   #4
herc
Member
 
Registered: Jul 2003
Posts: 90

Original Poster
Rep: Reputation: 15
chkrootkit:

Checking `ldsopreload'... can't exec ./strings-static, not tested

Searching for suspicious files and dirs, it may take a while...
/usr/lib/php/.filemap /usr/lib/php/.lock /usr/lib/php/.registry /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/UI/.packlist /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/Irc/.packlist /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/TextUI/.packlist /usr/lib/perl5/5.8.0/i486-linux/auto/Irssi/.packlist /usr/lib/perl5/5.8.0/i486-linux/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/UI/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/Irc/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/TextUI/.packlist /usr/lib/perl5/site_perl/5.8.0/i486-linux/auto/Irssi/.packlist /usr/lib/j2sdk1.4.2_01/.systemPrefs /usr/lib/j2sdk1.4.2_01/.systemPrefs/.systemRootModFile /usr/lib/j2sdk1.4.2_01/.systemPrefs/.system.lock /usr/lib/python2.3/site-packages/freeze/.cvsignore
/usr/lib/php/.registry /usr/lib/j2sdk1.4.2_01/.systemPrefs

Searching for anomalies in shell history files... Warning: `//root/.mysql_history' file size is zero

Checking `sniffer'... not tested: can't exec ./ifpromisc

Checking `wted'... not tested: can't exec ./chkwtmp

Checking `z2'... not tested: can't exec ./chklastlog

help!

Last edited by herc; 04-10-2004 at 05:24 PM.
 
Old 04-11-2004, 05:04 AM   #5
herc
Member
 
Registered: Jul 2003
Posts: 90

Original Poster
Rep: Reputation: 15
any ideas?
 
Old 04-11-2004, 04:59 PM   #6
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Run:

chkrootkit | grep INFECTED

See if you get any output from that.
 
Old 04-11-2004, 05:40 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Did you compile the c programs that are part of chkrootkit (ifpromisc.c, chkwtmp.c, and chklastlog.c)? If not, chekout the README file in the chkrootkit-x.x directory for instructions.
 
Old 04-11-2004, 11:26 PM   #8
herc
Member
 
Registered: Jul 2003
Posts: 90

Original Poster
Rep: Reputation: 15
I get nothing infected / deleted.

btw. sorry for the double post, I will read the rules better

Last edited by herc; 04-11-2004 at 11:30 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
weird, weird problems with logitech precision USB gamepad ikataii Linux - Hardware 4 10-14-2005 04:31 AM
Weird restart option. please help me thtr2k Linux - General 5 03-25-2005 09:04 PM
HP Photosmart weird weird weird.... Vlad_M Linux - General 5 02-20-2005 05:41 AM
Weird, weird apache2 problem atheist Debian 1 09-17-2004 08:26 PM
Weird restart, my system's compromised? herc Linux - Security 2 04-11-2004 05:51 PM


All times are GMT -5. The time now is 11:19 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration