LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-12-2004, 05:26 PM   #1
eross
LQ Newbie
 
Registered: Jun 2003
Location: .ar
Distribution: Gentoo
Posts: 11

Rep: Reputation: 0
Problem--- reboot


reboot

Broadcast message from root (pts/2) (Thu Aug 12 16:30:02 2004):

The system is going down for reboot NOW!
/dev/null
RK_Init: idt=0xc0398000, FUCK: Can't find sys_call_table[]

What is this?

I can't shut down either, I haven't updated kernel or anythign else.

Using mdk 10
 
Old 08-12-2004, 05:49 PM   #2
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,078

Rep: Reputation: 297Reputation: 297Reputation: 297
That looks mighty suspicious - sys_call_table[] is an internal kernel data structure that holds pointers to the system calls offered by the kernel (these allow user processes to request various things from the kernel). Prior to 2.6 it was an exported symbol, meaning that kernel modules could play around with the system call tables (for instance to provide a wrapper to limit access to certain syscalls). Ever since 2.6, however, this is not possible. It looks like somewhere on your system is a piece of software that depends on the old behavior.

Unfortunately, after doing a bit of googling on that message you have, it seems the most likely answer is that your system has been compromised and a hostile kernel module added (presumable one that tinkers with the sys_call_table, probably to cover its tracks). You need to take the system off the net, carefully scan for signs of an infestation (new accounts you didn't create, funny looking files, etc.), and if it is indeed has been compromised, reinstall from known-good media and apply all of Mandrake's security patches before reconnecting the system to the Internet.
 
Old 08-13-2004, 01:14 AM   #3
chakkerz
Member
 
Registered: Dec 2002
Location: Brisbane, Australia
Distribution: RedHat (RHEL, FC, CentOS), openSuSE, Mac OS X
Posts: 653

Rep: Reputation: 32
sounds root kitted alright, i'd say rebuild the kernel, and raise a firewall.

that said, you're on 9.1 so you should be on a 2.4 kernel, which would be consistent with what btmiller said. Check out this thread at red hat: ... might help. https://www.redhat.com/archives/valh.../msg00195.html
 
Old 08-13-2004, 04:50 AM   #4
eross
LQ Newbie
 
Registered: Jun 2003
Location: .ar
Distribution: Gentoo
Posts: 11

Original Poster
Rep: Reputation: 0
Any tips on how to check if I have been indeed "hacked"?
 
Old 08-13-2004, 07:29 AM   #5
eross
LQ Newbie
 
Registered: Jun 2003
Location: .ar
Distribution: Gentoo
Posts: 11

Original Poster
Rep: Reputation: 0
Well, I think this happens when you don't pay too much attention to your firewall settings

I'll make a clean reinstall with debian.

Any comments are welcome.
 
Old 08-13-2004, 10:58 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Running chkrootkit or rootkit hunter would probably be helpfull, but that message looks like SucKit, so you may also want to give skdetect a try as well. SucKit isn't a kernel module (though it does act similar to one), so rebuilding the kernel would not work. Fully formatting and reinstalling from trusted media (not from a backup) is really the only solution.

I'm guessing that the system wasn't fully patched either? It's arguably THE most important factor in keeping your system secure. Once you get your new system up and patched, turn off all un-needed services and make sure you have a reasonable firewall. Install a file alteration detector (like tripwire) and make sure to keep up with patching.
 
Old 08-13-2004, 05:04 PM   #7
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,536

Rep: Reputation: 148Reputation: 148
To be sure it is removed you'd rather need to reinstall. Use your Mandrake installation cd as rescue disk and copy your important data to any other partition. Then reinstall, turn off all services you don't need (if this is a desktop machine you usually don't need any) and configure your firewall.
I'm also moving this thread to Linux-Security.
 
Old 08-13-2004, 11:15 PM   #8
eross
LQ Newbie
 
Registered: Jun 2003
Location: .ar
Distribution: Gentoo
Posts: 11

Original Poster
Rep: Reputation: 0
Thanks for the help, I'll just switch distro and set everything again.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
reboot problem n_f Linux - Networking 6 07-03-2005 05:12 AM
reboot problem jonfa Linux - Hardware 1 06-25-2005 02:14 PM
Reboot Problem Dakkar Linux - Newbie 1 11-17-2004 02:02 PM
Reboot Problem Longgroin Slackware 8 08-01-2003 12:17 AM
reboot problem Orion224 Linux - Hardware 6 06-17-2002 03:26 AM


All times are GMT -5. The time now is 10:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration