[Nagiosplug-devel] bug?? check_procs (nagios-plugins 1.4.2) 1.46 - 0 processes
Michał Panasiewicz
wolvverine at tarchomin.pl
Wed Feb 15 04:42:02 CET 2006
Dnia 15-02-2006, śro o godzinie 12:41 +0100, Andreas Ericsson
napisał(a):
> Micha³ Panasiewicz wrote:
> > [root at kuf-serwer ~]# /usr/lib/nagios/plugins/check_procs -C smbd
> > PROCS OK: 0 processes with command name 'smbd'
> > [root at kuf-serwer ~]# /usr/lib/nagios/plugins/check_procs -C smbd
-vvv |
> > grep smbd
> > SNs 0 1 9972 3488 0.0 smbd smbd -D
> > 0 0 9972 3488 0 1 0,00 SNs .0 smbd smbd -D
> > SN 0 9361 10128 3684 0.0 smbd smbd -D
> > 0 0 10128 3684 0 9361 0,00 SN .0 smbd smbd -D
> > SN 1019 9361 11152 5436 0.4 smbd smbd -D
> > 0 1019 11152 5436 0 9361 0,00 SN .4 smbd smbd -D
> > SN 99 9361 10704 4872 0.0 smbd smbd -D
> > 0 99 10704 4872 0 9361 0,00 SN .0 smbd smbd -D
>
> You've been hacked, and pretty thoroughly, if clumsily, I'd say.
First
> of all, pull the network cable. Installing local firewall rules
probably
> won't do. Then install new 'find' and 'netstat' utilities on your
> system. Preferrably tools that have been pre-compiled on a different,
> trusted, system. Do *not* use a package management tool to install
it.
> Then do (as root)
>
> # netstat -tpan | grep smbd
> # find / -type f -name "smbd -D"
>
> The good thing is that the "smbd -D" ssh daemon comes with a lot of
> root-kits, so you're most likely being attacked by script-kids
System is OK (PLD linux distribution www.pld-linux.org)
-D is argument
smbd is command
[root at kuf-serwer ~]# smbd --help
Usage: smbd [OPTION...]
-D, --daemon Become a daemon (default)
[root at kuf-serwer ~]# /usr/lib/nagios/plugins/check_procs -C "smbd -D"
PROCS OK: 0 processes with command name 'smbd -D'
[root at kuf-serwer ~]# /usr/lib/nagios/plugins/check_procs -a "smbd -D"
PROCS OK: 8 processes with args 'smbd -D'
[root at kuf-serwer ~]# /usr/lib/nagios/plugins/check_procs -a "smbd"
PROCS OK: 8 processes with args 'smbd'
[root at kuf-serwer ~]# /usr/lib/nagios/plugins/check_procs -C "smbd"
PROCS OK: 0 processes with command name 'smbd'
[root at kuf-serwer ~]#
[root at kuf-serwer ~]# netstat --version
net-tools 1.60
netstat 1.42 (2001-04-15)
[root at kuf-serwer ~]# find --version
GNU find wersja 4.2.25
[root at kuf-serwer ~]# /bin/ps axwo 'stat uid ppid vsz rss pcpu comm args'
| grep smbd
SNs 0 1 9972 3488 0.0 smbd smbd -D
SN 0 9361 10128 3708 0.0 smbd smbd -D
SN 1019 9361 11152 5436 0.4 smbd smbd -D
SN 99 9361 10704 4884 0.0 smbd smbd -D
RN 1001 9361 12620 6628 0.7 smbd smbd -D
SN 1002 9361 10928 4824 1.2 smbd smbd -D
SN 0 9361 10648 4580 0.1 smbd smbd -D
SN 0 9361 10556 4192 0.1 smbd smbd -D
R+ 0 6457 1788 556 0.0 grep grep smbd
smbd is only example, for all commands is 0:
[root at kuf-serwer ~]# /bin/ps axwo 'stat uid ppid vsz rss pcpu comm args'
| grep httpd.prefork
SNs 0 1 28376 11000 0.0 httpd.prefork httpd.prefork
-f /etc/httpd/apache.conf
SN 51 16289 28780 11668 0.0 httpd.prefork httpd.prefork
-f /etc/httpd/apache.conf
SN 51 16289 32212 15228 0.0 httpd.prefork httpd.prefork
-f /etc/httpd/apache.conf
SN 51 16289 32456 15372 0.0 httpd.prefork httpd.prefork
-f /etc/httpd/apache.conf
SN 51 16289 32216 15208 0.0 httpd.prefork httpd.prefork
-f /etc/httpd/apache.conf
SN 51 16289 28644 11544 0.0 httpd.prefork httpd.prefork
-f /etc/httpd/apache.conf
SN 51 16289 28768 11684 0.0 httpd.prefork httpd.prefork
-f /etc/httpd/apache.conf
SN 51 16289 32852 15676 0.0 httpd.prefork httpd.prefork
-f /etc/httpd/apache.conf
R+ 0 6457 1824 600 0.0 grep grep httpd.prefork
[root at kuf-serwer ~]# /usr/lib/nagios/plugins/check_procs -C
httpd.prefork
PROCS OK: 0 processes with command name 'httpd.prefork'
--
Michał Panasiewicz
jabber: wolvverine [ at ] chrome [ dot ] pl
e-mail: wolvverine [ at ] tlen [ dot ] pl , wolvverine [ at ] pld-linux [ dot ] org
Potrzebujesz Informatyka/Administratora (Warszawa) -skontaktuj sie ze mną
More information about the Devel
mailing list