| |
|
|
|
Got bogus unix line
UML Utilities/missing kernel hooks cause misleading error
Warning, Got Bogus UNIX Line
Re: netstat returns "warning, got bogus unix line."
Resolution: stop uml-utilities
10/05/2005
Quick update. After my next boot I found the problem is back. I stopped uml-utilities and the problem
went away. I don't think I added uml hooks into the kernel the last time I compiled it. I now suspect this
error is related to that condition. (I have UML on another box, with the kernel hooks in place and it does not
throw the same error with netstat...)
Resolution: Re-install debian package uml-utilities
09/26/2005
This note is more a footnote than anything, and really doesn't answer the question "Why am I getting this error"
A little background. A few weeks ago I noticed a series of "warning, got bogus unix line." messages
in my daily cron job's emails. Too busy, I ignored them for a while. Eventually I took the time to do a little
investigating. After some checking, I discovered the line was coming from chkrootkit. This made me pay attention! ...so I dug
in further. I Googled a bit, and found numerous references to virus infected systems with root kits installed. What differed
with my situation is my chkrootkit wasn't saying anything about a virus, it was saying "got bogus unix line."
So I read the man page for chkrootkit in greater detail and found the "-d" parameter (debug mode). I ran it this way and found
it was running netstat when it got the "bogus unix line" message. I tried running netstat by itself: netstat -anp and
found I consistently got the "bogus" message. What was not consistent was where it appeared in the listing. This was confusing. It
also made me nervous. What if my server was compromised, and the virus was smart enough to hide itself from my netstat inquiries?
After a little experimenting, I found I didn't get the "bogus" message using netstat -an --tcp or using
netstat -an --udp More Googling found
a copy of the netstat source code and illustrated the "got bogus unix line" message only applied to unix domain sockets, not to
tcp or udp. More experimenting and I finally stumbled on netstat -anp --unix 2>&1 | grep bogus returned consistent results,
and the culprit was uml-utilities!
Armed with consistent results from netstat, I turned uml-utilities off using /etc/init.d/uml-utilities stop and ran
the netstat command again. No Error! I turned it back on, ran the netstat command, and the error re-appeared,
So, the resolution was to re-install the package, using apt-get install --reinstall uml-utilities Once reinstalled,
I started uml-utilities and tried netstat again. No Error!
I have neglected to mention this is a debian sarge installation using a 2.6.9 kernel.
I hope this saves at least one other person 1) the worry of thinking their server has been compromised, and 2) the
time spent tracking it down! If you find this helpful, please take a moment to drop me a message using
this link.
|
Comments
|
Date :
9/10/2011 9:34:04 AM
Name :
Robert
Comments :
Thanks, this saved me a lot of digging
|
|
Date :
3/19/2010 7:15:57 AM
Name :
lefty.crupps
Comments :
I was also getting that line with a run of netstat,
running Debian Sid (getting to be Debian 6). The reinstall
of uml-utilities and its restart has also fixed this
for me.
|
|
Date :
9/10/2009 12:28:21 AM
Name :
John
Comments :
4 years later, your post just saved my day too! Exact
same symptoms, exact same solution! Thanks!!
|
|
Date :
1/26/2009 12:44:01 PM
Name :
Kunthar
Comments :
Thank you very much man. You saved my day :) Peace
|
|
Date :
12/7/2008 4:13:15 AM
Name :
Richar
Comments :
Thenks!
|
|
Date :
11/13/2006 6:48:40 AM
Name :
Lee Wilding
Comments :
Very useful. Thank you
|
|
Date :
3/28/2006 3:19:03 PM
Name :
cryptomail
Comments :
1) thank goodness for google 2) thank goodness for
your information
|
|
Date :
3/7/2006 2:57:30 AM
Name :
Peter
Comments :
Your information was very helpful. Got exact the same
thing! Strange anyway ...
|
|
Date :
12/29/2005 12:18:03 AM
Name :
Sebastian Fischer
Comments :
I found the same error with tiger. But not with netstat
and not with chkrootkit. Your Information stops the
panic, the servers are cracked Thanks from Belgium.
Sebastian Fischer
|
|
|
|
|
