Re: inittab hack ?

From: /dev/rob0 (rob0_at_gmx.co.uk)
Date: 01/28/04

• Next message: stewart menday: "RH9 min password length"
• Previous message: Joerg Dolle: "GnuPG - commandline parameters for batch use"
• In reply to:(deleted message) mickey: "inittab hack ?"
• Next in thread: jack: "Re: inittab hack ?"
• Reply: jack: "Re: inittab hack ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 28 Jan 2004 13:53:18 -0800

In article <b2nd10933hklnv7mtv9no3g6olt1g7atls@4ax.com>, mickey wrote:
> I found this strange entry in my inittab
>
> lfd:2345:respawn:/usr/sbin/vbox/sshd 1> /dev/null 2> /dev/null

What is this "vbox"? I've never seen it before. Is it something you
installed?

> I'm using redhat 7.3 with:

I don't have that; no way to check to see if it's normal.

> jan 26 13:50:38 micas kernel: request_module[net-pf-14]:
> waitpid(11781,...) failed, errno 512
>
> Jan 26 13:50:38 micas modprobe: modprobe: Can't locate module
> net-pf-14

http://www.losurs.org/docs/tips/general/net-pf-list

> Jan 26 23:45:01 micas init: Id "lfd" respawning too fast: disabled for
> 5 minutes

For some reason this daemon /usr/sbin/vbox/sshd is unable to start. If
it's a rootkit you're lucky. But at least one of your running services
has a serious problem which allowed someone to install a rootkit.

> any thoughts ?

I have no idea, really. The rootkit comments are not applicable if YOU
installed this thing (or something you installed did it.) File
timestamps might give you clues if you don't remember. (Check timestamps
on inittab, /usr/sbin/vbox and the files in it.)

-- 
  /dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
  or put "not-spam" or "/dev/rob0" in Subject header to reply

---

• Next message: stewart menday: "RH9 min password length"
• Previous message: Joerg Dolle: "GnuPG - commandline parameters for batch use"
• In reply to:(deleted message) mickey: "inittab hack ?"
• Next in thread: jack: "Re: inittab hack ?"
• Reply: jack: "Re: inittab hack ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: inittab hack ? ... >> I found this strange entry in my inittab ... >has a serious problem which allowed someone to install a rootkit. ... The inittab also had an attribute '+i'. ... (comp.os.linux.security) Re: Security Toolbar 7.1 ... I've downloaded rootkit scanners for future ref. ... would be a major malware feature of this exact installtion. ... A rootkit is able to install many malwares - ... disables security software such as a " Security Software Disabler ... (microsoft.public.security) Re: Security Toolbar 7.1 ... If you have run some of the free home verions of antispyware the ... would be a major malware feature of this exact installtion. ... The other possibility is that it was installed by a rootkit in the ... A rootkit is able to install many malwares - ... (microsoft.public.security) Re: Rooted ... I may have the Ambient rootkit and also 2 hidden processes. ... Here is why you need a FORMAT and clean install when your box IS cracked. ... That will tell you about known root kits if you have one. ... The cracker may not have installed a rootkit. ... (comp.os.linux.security) Re: Do I have an infected init file? ... Now lets get to rootkit hunter config, ... install, meaning that from when i Installed via CD to this system in ... most importantly now,an 'unkown' version of something, wich is the way ... > Drew B. ... (FreeBSD-Security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2004-01