[Nagiosplug-devel] bug?? check_procs (nagios-plugins 1.4.2) 1.46 - 0 processes

Michał Panasiewicz wolvverine at tarchomin.pl
Wed Feb 15 04:42:02 CET 2006


Dnia 15-02-2006, śro o godzinie 12:41 +0100, Andreas Ericsson
napisał(a):
> Micha³ Panasiewicz wrote:
> > [root at kuf-serwer ~]#  /usr/lib/nagios/plugins/check_procs -C smbd
> > PROCS OK: 0 processes with command name 'smbd'
> > [root at kuf-serwer ~]#  /usr/lib/nagios/plugins/check_procs -C smbd
-vvv |
> > grep smbd
> > SNs      0     1   9972  3488  0.0 smbd            smbd -D
> > 0 0 9972 3488 0 1 0,00 SNs  .0 smbd            smbd -D
> > SN       0  9361  10128  3684  0.0 smbd            smbd -D
> > 0 0 10128 3684 0 9361 0,00 SN  .0 smbd            smbd -D
> > SN    1019  9361  11152  5436  0.4 smbd            smbd -D
> > 0 1019 11152 5436 0 9361 0,00 SN  .4 smbd            smbd -D
> > SN      99  9361  10704  4872  0.0 smbd            smbd -D
> > 0 99 10704 4872 0 9361 0,00 SN  .0 smbd            smbd -D 
> 
> You've been hacked, and pretty thoroughly, if clumsily, I'd say.
First 
> of all, pull the network cable. Installing local firewall rules
probably 
> won't do. Then install new 'find' and 'netstat' utilities on your 
> system. Preferrably tools that have been pre-compiled on a different, 
> trusted, system. Do *not* use a package management tool to install
it. 
> Then do (as root)
> 
>       # netstat -tpan | grep smbd
>       # find / -type f -name "smbd -D"
> 
> The good thing is that the "smbd -D" ssh daemon comes with a lot of 
> root-kits, so you're most likely being attacked by script-kids 

System is OK (PLD linux distribution www.pld-linux.org)

-D is argument
smbd is command
[root at kuf-serwer ~]# smbd --help
Usage: smbd [OPTION...]
  -D, --daemon                       Become a daemon (default)

[root at kuf-serwer ~]#  /usr/lib/nagios/plugins/check_procs -C "smbd -D"
PROCS OK: 0 processes with command name 'smbd -D'
[root at kuf-serwer ~]#  /usr/lib/nagios/plugins/check_procs -a "smbd -D"
PROCS OK: 8 processes with args 'smbd -D'
[root at kuf-serwer ~]#  /usr/lib/nagios/plugins/check_procs -a "smbd"
PROCS OK: 8 processes with args 'smbd'
[root at kuf-serwer ~]#  /usr/lib/nagios/plugins/check_procs -C "smbd"
PROCS OK: 0 processes with command name 'smbd'
[root at kuf-serwer ~]#

[root at kuf-serwer ~]# netstat --version
net-tools 1.60
netstat 1.42 (2001-04-15)
[root at kuf-serwer ~]# find --version
GNU find wersja 4.2.25

[root at kuf-serwer ~]# /bin/ps axwo 'stat uid ppid vsz rss pcpu comm args'
| grep smbd
SNs      0     1   9972  3488  0.0 smbd            smbd -D
SN       0  9361  10128  3708  0.0 smbd            smbd -D
SN    1019  9361  11152  5436  0.4 smbd            smbd -D
SN      99  9361  10704  4884  0.0 smbd            smbd -D
RN    1001  9361  12620  6628  0.7 smbd            smbd -D
SN    1002  9361  10928  4824  1.2 smbd            smbd -D
SN       0  9361  10648  4580  0.1 smbd            smbd -D
SN       0  9361  10556  4192  0.1 smbd            smbd -D
R+       0  6457   1788   556  0.0 grep            grep smbd


smbd is only example, for all commands is 0:
[root at kuf-serwer ~]# /bin/ps axwo 'stat uid ppid vsz rss pcpu comm args'
| grep httpd.prefork
SNs      0     1  28376 11000  0.0 httpd.prefork   httpd.prefork
-f /etc/httpd/apache.conf
SN      51 16289  28780 11668  0.0 httpd.prefork   httpd.prefork
-f /etc/httpd/apache.conf
SN      51 16289  32212 15228  0.0 httpd.prefork   httpd.prefork
-f /etc/httpd/apache.conf
SN      51 16289  32456 15372  0.0 httpd.prefork   httpd.prefork
-f /etc/httpd/apache.conf
SN      51 16289  32216 15208  0.0 httpd.prefork   httpd.prefork
-f /etc/httpd/apache.conf
SN      51 16289  28644 11544  0.0 httpd.prefork   httpd.prefork
-f /etc/httpd/apache.conf
SN      51 16289  28768 11684  0.0 httpd.prefork   httpd.prefork
-f /etc/httpd/apache.conf
SN      51 16289  32852 15676  0.0 httpd.prefork   httpd.prefork
-f /etc/httpd/apache.conf
R+       0  6457   1824   600  0.0 grep            grep httpd.prefork
[root at kuf-serwer ~]# /usr/lib/nagios/plugins/check_procs -C
httpd.prefork
PROCS OK: 0 processes with command name 'httpd.prefork'


-- 
Michał Panasiewicz
jabber: wolvverine [ at ] chrome [ dot ] pl 
e-mail: wolvverine [ at ] tlen [ dot ] pl , wolvverine [ at ] pld-linux [ dot ] org
Potrzebujesz Informatyka/Administratora (Warszawa) -skontaktuj sie ze mną





More information about the Devel mailing list