[prev in list] [next in list] [prev in thread] [next in thread]
List: gentoo-sparc
Subject: RE: [gentoo-sparc] Interesting incident involving Gentoo hardened linux
From: "Andrew Ruef" <munin () speakeasy ! net>
Date: 2005-06-29 22:27:36
Message-ID: 200506292226.j5TMQmkF027801 () robin ! gentoo ! org
[Download RAW message or body]
Interestingly enough, there are entries in my syslog along the following:
sshd[253]: syslogin_perform_logout: logout() returned an error
There appear to be one of these for every logout action taken by a user...
This is strange. Could this maybe produce starvation of a resource
indicating when / which users are logged in if it creates a host of undead
not-quite-logged-in users?
(really sounds like I'm grasping for straws. Sigh)
--Andrew Ruef
-----Original Message-----
From: Andrew Ruef [mailto:munin@speakeasy.net]
Sent: Wednesday, June 29, 2005 5:20 PM
To: gentoo-sparc@lists.gentoo.org
Subject: RE: [gentoo-sparc] Interesting incident involving Gentoo hardened
linux
No... due to piss poor administration and that it's a Gentoo box those md5's
don't exist. Although the strange thing is, after sshd has been restarted
everything works fine...
I think I'm reaching for straws but it was as if sshd wasn't forking a bash
shell properly. Users could enter into their shells entry in /proc, it just
wasn't being displayed in 'w' or 'ps'....
This just sounds bad the more I think about it.
I'm going to try and reproduce the bug, if it can be...
--Andrew Ruef
-----Original Message-----
From: Gary [mailto:gary@linuxforce.org]
Sent: Wednesday, June 29, 2005 4:50 PM
To: gentoo-sparc@lists.gentoo.org
Subject: Re: [gentoo-sparc] Interesting incident involving Gentoo hardened
linux
On Wed, 29 Jun 2005, Andrew Ruef wrote:
> Took the system down to init 1 and checked it out for any signs of foul
> play, found none. No anomalous behavior in the logs, nothing weird that
> grsec reported. Nothing in the NIDS logs of the attached system..
Did you do an MD5 comparison between the 'ps' command on your box and a
known good binary? That sounds like a trojaned ps binary or something
amiss in the kernel.
> But still... anyone else seen this behavior?
--
gentoo-sparc@gentoo.org mailing list
--
gentoo-sparc@gentoo.org mailing list
--
gentoo-sparc@gentoo.org mailing list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic