Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-16-2006, 09:45 PM
|
#1
|
Member
Registered: Jul 2005
Posts: 273
Rep:
|
dreams rootkit
Can anyone give me any info about the dreams rootkit? All I have found is that it exploits a gzip overflow.
Thanks,
|
|
|
07-17-2006, 03:50 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
Looking at this you can probably figure out functionality:
/dev/ida/.hpd
/usr/bin/initrd
/dev/ttyoa
/dev/ttyof
/dev/ttyop
/usr/bin/sense
/usr/bin/sl2
/usr/bin/logclear
/usr/bin/(swapd)
/usr/bin/snfs
/usr/lib/libsss
|
|
|
07-17-2006, 12:55 PM
|
#3
|
Member
Registered: Jul 2005
Posts: 273
Original Poster
Rep:
|
I'm not sure if I'm infected or not. So would reading thru those still tell me what I want to know......
|
|
|
07-17-2006, 02:55 PM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
I'm not sure if I'm infected or not. So would reading thru those still tell me what I want to know......
Probably not. (BTW, next time better post something along the lines of "My box got infected".) Show us what you've got and for how long this has been going on.
|
|
|
07-17-2006, 03:43 PM
|
#5
|
Member
Registered: Jul 2005
Posts: 273
Original Poster
Rep:
|
I ran rootkit hunter on the system. It came back with possible dreams rootkit. As for the server itself, lots of files where all highlighted in red. 15 processes where hidden. If i ran a command such as ps -A I would get the help screen for ps. If I ran just ps, it would return about 6 processes, most of them things that I was currently doing, such as, ssh, su, bash, ps.
Some programs such as nagios where not work ing correctly any more.
I think it was more of a problem of our building. They turned off the AC on this incredibly hot 100 degree weekend, and our extra AC units couldnt keep up. My partner came in and said the server room was 95 degrees. Servers shut themselves down and what not.
We didn't know if that was a false positve , so we googled up dreams rootkit, and i searched on here, and found nothing really useful.
We are setting up anohter system, so it's not the biggest deal. Just looking for some info.
|
|
|
07-17-2006, 03:48 PM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
Well, I'd still be interested in any output you have.
|
|
|
All times are GMT -5. The time now is 09:40 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|