[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-sparc
Subject:    RE: [gentoo-sparc] Interesting incident involving Gentoo hardened linux
From:       "Andrew Ruef" <munin () speakeasy ! net>
Date:       2005-06-29 22:27:36
Message-ID: 200506292226.j5TMQmkF027801 () robin ! gentoo ! org
[Download RAW message or body]

Interestingly enough, there are entries in my syslog along the following: 

sshd[253]: syslogin_perform_logout: logout() returned an error 

There appear to be one of these for every logout action taken by a user... 

This is strange. Could this maybe produce starvation of a resource
indicating when / which users are logged in if it creates a host of undead
not-quite-logged-in users? 

(really sounds like I'm grasping for straws. Sigh) 

--Andrew Ruef 

-----Original Message-----
From: Andrew Ruef [mailto:munin@speakeasy.net] 
Sent: Wednesday, June 29, 2005 5:20 PM
To: gentoo-sparc@lists.gentoo.org
Subject: RE: [gentoo-sparc] Interesting incident involving Gentoo hardened
linux

No... due to piss poor administration and that it's a Gentoo box those md5's
don't exist. Although the strange thing is, after sshd has been restarted
everything works fine... 

I think I'm reaching for straws but it was as if sshd wasn't forking a bash
shell properly. Users could enter into their shells entry in /proc, it just
wasn't being displayed in 'w' or 'ps'....

This just sounds bad the more I think about it. 

I'm going to try and reproduce the bug, if it can be...

--Andrew Ruef

-----Original Message-----
From: Gary [mailto:gary@linuxforce.org] 
Sent: Wednesday, June 29, 2005 4:50 PM
To: gentoo-sparc@lists.gentoo.org
Subject: Re: [gentoo-sparc] Interesting incident involving Gentoo hardened
linux

On Wed, 29 Jun 2005, Andrew Ruef wrote:
> Took the system down to init 1 and checked it out for any signs of foul
> play, found none. No anomalous behavior in the logs, nothing weird that
> grsec reported. Nothing in the NIDS logs of the attached system..

Did you do an MD5 comparison between the 'ps' command on your box and a 
known good binary?  That sounds like a trojaned ps binary or something 
amiss in the kernel.

> But still... anyone else seen this behavior?

-- 
gentoo-sparc@gentoo.org mailing list


-- 
gentoo-sparc@gentoo.org mailing list


-- 
gentoo-sparc@gentoo.org mailing list

[prev in list] [next in list] [prev in thread] [next in thread]