System out of control - hacked I guess...?

paul matthijsse · #1 25th January 2007, 12:26 PM

Hello,

Little problem here, I have no longer control over my machine (FC 6). This happened after clicking on a bittorrent link (yep, somewhere deep down in the underground area...). What happens is that modprobe is running and takes up all the cpu. Can't kill that process anymore (tried that as su as well of course).

Rkhunter and chkrootkit do not find suspect things (except that rkhunter gives a lot of BAD messages in the beginning, but I saw that before. Has to do with out of date hashes or something). Firewall is on, no trusted ports selected, I added this morning 6881 udp/tcp as extra ports for the bittorrent client, don't see them anymore now... SELinux is off.

Attached are screendumps of top, rkhunter and chkrootkit. What's that MD5 problem in the rkhunter dump?

Any ideas what to do?

TIA, Paul.

PS. For the moment I did not reboot, because I am not sure that's the solution (and my uptime is 18 days, want to keep that! :-)

leigh123linux · #2 25th January 2007, 12:30 PM

reboot____________

paul matthijsse · #3 25th January 2007, 01:04 PM

I had to reboot indeed, because suspend didn't work as usual. Monitor went down but the machine stayed up, including the jamming cpu fan. Now the problem is over. I looked in the sys logs but couldn't find anything releated.

Question remains what this was...

Thanks for answering.

Cheers, Paul.

PS. My uptime is now 0d0h22m :-)

leigh123linux · #4 25th January 2007, 01:15 PM

I dont think you have been hacked.

Did you start modprobe

paul matthijsse · #5 25th January 2007, 01:34 PM

No, I didn start modprobe myself. I saw immediately after the download began, that my cpu went to 100% and top said it was modprobe doing that. As said, I was unable to kill it. man modprobe told me that it is a program to add and remove modules from the Linux kernel. Was someone trying to remove some security or logging stuff from the kernel?

leigh123linux · #6 25th January 2007, 01:44 PM

Quote:

Originally Posted by paul matthijsse

No, I didn start modprobe myself. I saw immediately after the download began, that my cpu went to 100% and top said it was modprobe doing that. As said, I was unable to kill it. man modprobe told me that it is a program to add and remove modules from the Linux kernel. Was someone trying to remove some security or logging stuff from the kernel?

It's more likely a error in FC6 , did you update in the 18 days uptime

paul matthijsse · #7 25th January 2007, 01:52 PM

yes I did upgrade some things. Since 4 january:
* cairo
* gtk2
* gtk2-devel
* hddtemp
* evolution
* cpuspeed
* gimp-print
* lm_sensors
* gettext

Not really modprobe related isn't it?

leigh123linux · #8 25th January 2007, 01:58 PM

I am not sure but cpuspeed can load modules

http://carlthompson.net/Software/CPUSpeed