 |
Unknown HZ value! (##) Assume 100 -- You've been hacked!
On RHEL or Centos 4 or 5, If you run the linux command top and you see something like:"Unknown HZ value! (75) Assume 100"
Yours might not say "75" -- it could be any number.
If you see this, you should run rkhunter immediately, because your box has probably been taken over by a rootkit -- either SHV4 or SHV5.
The only reason you see this clue "Unknown HZ value" is because the rootkit replaces the top command (among others) with a substitute top command that will hide its processes. Their replacement top is old (version 1.2) and cannot handle the HZ value of the 2.6 linux kernel.
Sad to say, but if this happens to you, its time to reinstall your OS!
Using unhide with rkhunter
Unhide is a program that will detect hidden processes on your system. It is a good complement to rkhunter (a rootkit scanner for Linux and Unix). Rkhunter will make use of unhide if you have unhide installed on your system. Here is a little tutorial on how to do it (I assume you have rkhunter already installed and configured, and are familiar with its use.):1. Download unhide and unpack in a temporary directory.
2. If you are using Linux with a 2.6 kernel, create the executable by running the command:
gcc -Wall -o unhide unhide-linux26.c
3. If you are running any other kernel, run this command:
gcc -Wall -o unhide unhide.c
4. Copy the executable to a place where rkhunter can find it:
cp unhide /usr/local/bin/
5. Rerun rkhunter --propupd (so that unhide will not throw a warning in rkhunter!)
6. That's it! The next time you run rkhunter, it will discover and make use of unhide.
30.09.2007. 13:28
How do I use .htaccess to block or drop an IP address that is attacking my server?
If you want to deny access to a specific IP address, you can add the following to your .htacess file in the root directory of your web site:order allow,deny
deny from 64.38.244.72
allow from all
This example shows how to deny access to the IP address 64.38.244.72