Intresting Behavior

plug@arcticmail.com plug@arcticmail.com
Sat, 28 Oct 2000 00:35:16 -0700 

It could be any number of things, but the
first instinct of my JLF instantiation[1]
feels that your box has been cracked.

The fact that it doesn't permit console
logins, only ssh, (assuming that you
didn't intentionally configure your box
this way (JLF mode)) could POSSIBLY be a
configuration problem (e.g., PAM) or
something else, but I would suspect a
trojan sshd.  I would monitor[2] (from
a separate, pristine system) the network
traffic of the suspect box while you're
initially ssh'ing into it and supplying
your password.  If you see traffic between
the suspect box and St. Petersburg...
Of course, SmartTrojan(TM) would store
your password and sleep(3) (or wait to
be tickled by the cracker) before
transmitting.  StupoTrojan(R) would
immediately transmit your cleartext
password via mail.


D

[1] It's *NOT* paranoia if they're really
    out to get you.

[2] Quickly!  Before this type of activity
    becomes a treaty violation!


* On Thu, Oct 26, 2000 at 10:05:20AM -0700, Colin Ansel Rasor wrote:
> I have been noticing some things that are very intresting to me
> that I am not able to decipher. I have been having a lot
> segmentation faults. last night I had a seg fault with the "passwd"
> program today a seg fault with "mount".Any pointers in the right
> direction on how to handle this would be great. This machine has run
> headless for a few months then today I plugged a monitor and
> keyboard into it and it wont let anybody log into it from the console
> only through ssh. I also have not been seeing any connections DENY's
> from IPCHAINS and I usually see at least 35 a day.
> 
> [root@millworknet /]# ps ax | grep 725
>  1053 pts/0    S      0:00 grep 725
> [root@millworknet /]# locate tss.cr3
> [root@millworknet /]#   
> [root@millworknet /]# uname -r
> 2.2.12-20 
> Unable to handle kernel
> NULL pointer dereference at virtual address 00000004 current->tss.cr3
> = 00f11000, %cr3 = 00f11000 *pde = 00000000 Oops: 0000 CPU:    0 EIP:
>    0010:[<c2025be1>] EFLAGS: 00010286 eax: 00000000   ebx: c1775600  
> ecx: c05d6000   edx: c05d7ea4 esi: c05d7de8   edi: c05d7de4   ebp:
> 00000801   esp: c05d7d18 ds: 0018   es: 0018   ss: 0018 Process mount
> (pid: 725, process nr: 36, stackpage=c05d7000) Stack: c05d7de4
> 00000801 00001770 00000005 00000000 00000000 00000001 00000801       
> c05d7d40 00000000 c20266b9 00000000 c05d7de4 c05d7de8 c05d7dec
> c05d7ea4        c05d7e58 c05d7df0 c0eea800 00000801 00000000 00000801
> 00000001 c177544a Call Trace: [<c20266b9>] [<c01f08f1>] [<c01e9eb5>]
> [<c011386d>] [<c01e478f>] [<c0130c3c>] [<c202dfc0>]       
> [<c202e380>] [<c202e280>] [<c012d66c>] [<c012db09>] [<c202e05e>]
> [<c012e024>] [<c202e05e>] [<c202e280>]        [<c0109fac>] Code: 66
> 8b 40 04 66 89 42 04 8a 42 0e 88 c1 80 e1 f0 88 4a 0e 66
> Thanks 
> Colin Ansel Rasor