LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   cannot shutdown properly (https://www.linuxquestions.org/questions/linux-security-4/cannot-shutdown-properly-340754/)

space_beyond 07-06-2005 07:31 PM
cannot shutdown properly
 
I'm a newbie on Linux. We are using Red Hat Linux 9. When we type the command "shutdown -h now" a message appears

Broadcast message from root (tty1) July 6, 2005
The system is going down for system halt NOW! /dev/null
RK_Init: id=0xc036f000, sct[]=0xc030a0f0, FUCK: Can't find kmalloc()!

It then back to the command prompt. If we tpye again the shutdown command the same message appears.

Need help....

Krugger 07-06-2005 07:40 PM
Ok, that is a bit weird. You should update the kernel or something like that and get some ACPI support to be able to powerdown completelty.

Have you been playing with the scripts or have you some extreme RBAC settings. The kernel not being able to call kmalloc is ... bizarre. :)

Krugger 07-06-2005 07:44 PM
I was looking around for your weird problem and found out there is a high probability that you have been hacked.

http://redhat.irlp.net/hack_report.html

Kind of sound like your problem.

Krugger 07-06-2005 07:46 PM
Get this to check to see if you got rootkits installed

http://www.chkrootkit.org/

space_beyond 07-10-2005 08:11 PM
I look on the site you mention, and found a similar messages that had been displaying in our system. What can we do...can you have some idea how to fix this.
Thanks...

btmiller 07-10-2005 09:50 PM
If your system has been compromised, back up user data (NOT programs/libraries -- be very sure about this, i.e. inspect your back-ups for suspicious files), reformat, and reinstall from scratch. Unfortunately, this is the only way to safely deal with a compromised system. Meanwhile, if you have a compromised box, pull it off the network immediately. (i.e. disconnect the network cable) since it is a danger to you and to others.

You probably ought to upgrade to something more recent than RH9. If you're running an unpatched RH9 with lots of services available to the Internet ... well, it's not necessarily surprising that you got cracked.

Krugger 07-13-2005 05:26 PM
If you simply want to repair the system and move on get a knoppix CD ( http://www.knoppix.org ) so you can mount your hard drives and copy any relevant data. After that delete the disk and reinstall the system.

If you want to save yourself some trouble copy the server configs. And I would suggest getting an updated version from redhat like the fedora core 4 from http://fedora.redhat.com/download/mirrors.html

Warning: This prevents any diagnostic of the way how the machine was compromised. This usually help you learn how to prevent this in the future. It's up to you and how time critical it is to get things up again.

int0x80 07-15-2005 12:17 PM
DBAN
 
For clearing your drive, I recommend DBAN: http://dban.sourceforge.net
This will get rid of everything.


All times are GMT -5. The time now is 12:53 AM.