I am going to treat
this as a rooted box and reinstall from scratch, but any thoughts
This is a Trixbox
Server based on Centos, running kernel 2.6.18-53.1.4.el5
The phone system
stopped working but this was traced to a configuration error with a replacement
switch (it did not get added to the vlan properly), which meant that Trixbox
could not see any DNS servers and this b0rks TB.
debugging I went to reboot the server and got the following:
I have run rkhunter,
which turns up nothing
If have forced a
filesystem check - all clean
I have checked the
logs and history file and*cannot see anything
The server is behind
a hardware firewall and the only ports open are those needed for RTP, IAX2 and
SIP - there is no other public access and no user accounts.
Having fixed the
vlan issue, Asterisk is running fine.
/dev/kmem, but it's missing at subsequent reboots.
I have Googled many
references to the IDT table problem being associated with the SuckIT rootkit,
but I can find no evidence that it's installed.
OK, bearing in mind
that I will go ahead and reinstall the server (no biggie as I have Trixbox
config backups and installing TB is not a big task), I just wanted to check
whether there were any IDT table issues that may *NOT* be rootkit related and if
there are any simple fixes I can try on the box while it's isolated on the
In the other
direction, has anyone seen this type of behaviour with any rootkit that is not
detected by rkhunter and doesn't leave any obvious footprints? Anything to look
CentOS mailing list