LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Problem--- reboot (https://www.linuxquestions.org/questions/linux-security-4/problem-reboot-216869/)

eross 08-12-2004 05:26 PM
Problem--- reboot
 
reboot

Broadcast message from root (pts/2) (Thu Aug 12 16:30:02 2004):

The system is going down for reboot NOW!
/dev/null
RK_Init: idt=0xc0398000, FUCK: Can't find sys_call_table[]

What is this?

I can't shut down either, I haven't updated kernel or anythign else.

Using mdk 10

btmiller 08-12-2004 05:49 PM
That looks mighty suspicious - sys_call_table[] is an internal kernel data structure that holds pointers to the system calls offered by the kernel (these allow user processes to request various things from the kernel). Prior to 2.6 it was an exported symbol, meaning that kernel modules could play around with the system call tables (for instance to provide a wrapper to limit access to certain syscalls). Ever since 2.6, however, this is not possible. It looks like somewhere on your system is a piece of software that depends on the old behavior.

Unfortunately, after doing a bit of googling on that message you have, it seems the most likely answer is that your system has been compromised and a hostile kernel module added (presumable one that tinkers with the sys_call_table, probably to cover its tracks). You need to take the system off the net, carefully scan for signs of an infestation (new accounts you didn't create, funny looking files, etc.), and if it is indeed has been compromised, reinstall from known-good media and apply all of Mandrake's security patches before reconnecting the system to the Internet.

chakkerz 08-13-2004 01:14 AM
sounds root kitted alright, i'd say rebuild the kernel, and raise a firewall.

that said, you're on 9.1 so you should be on a 2.4 kernel, which would be consistent with what btmiller said. Check out this thread at red hat: ... might help. https://www.redhat.com/archives/valh.../msg00195.html

eross 08-13-2004 04:50 AM
Any tips on how to check if I have been indeed "hacked"?

eross 08-13-2004 07:29 AM
Well, I think this happens when you don't pay too much attention to your firewall settings :(

I'll make a clean reinstall with debian.

Any comments are welcome.

Capt_Caveman 08-13-2004 10:58 AM
Running chkrootkit or rootkit hunter would probably be helpfull, but that message looks like SucKit, so you may also want to give skdetect a try as well. SucKit isn't a kernel module (though it does act similar to one), so rebuilding the kernel would not work. Fully formatting and reinstalling from trusted media (not from a backup) is really the only solution.

I'm guessing that the system wasn't fully patched either? It's arguably THE most important factor in keeping your system secure. Once you get your new system up and patched, turn off all un-needed services and make sure you have a reasonable firewall. Install a file alteration detector (like tripwire) and make sure to keep up with patching.

Mara 08-13-2004 05:04 PM
To be sure it is removed you'd rather need to reinstall. Use your Mandrake installation cd as rescue disk and copy your important data to any other partition. Then reinstall, turn off all services you don't need (if this is a desktop machine you usually don't need any) and configure your firewall.
I'm also moving this thread to Linux-Security.

eross 08-13-2004 11:15 PM
Thanks for the help, I'll just switch distro and set everything again.


All times are GMT -5. The time now is 03:18 PM.