Morgan Systems
Find 
 
Home
IT Services
Web Hosting
Tools
Contact Us
Client Services
Back
  
  Development Notes and Bugfixes  
   

Select Article
We burn the midnight oil so you don't have to.
 
 
Overview
  
 
Acidlab Fix PHP 5.05
  
 
Bind Bad transfer
  
 
eGroupWare IMAPS
  
 
Got bogus unix line
  
 
.Net Alignment
  
 
OverLib IE Select
  
 
OWC SQL OleDB Error
  
 
POP Before SMTP/Whoson
  
 
ZMailer Web Tools
  






 

Got bogus unix line

UML Utilities/missing kernel hooks cause misleading error

Warning, Got Bogus UNIX Line
Re: netstat returns "warning, got bogus unix line."
Resolution: stop uml-utilities
10/05/2005

Quick update. After my next boot I found the problem is back. I stopped uml-utilities and the problem went away. I don't think I added uml hooks into the kernel the last time I compiled it. I now suspect this error is related to that condition. (I have UML on another box, with the kernel hooks in place and it does not throw the same error with netstat...)


Resolution: Re-install debian package uml-utilities
09/26/2005

This note is more a footnote than anything, and really doesn't answer the question "Why am I getting this error"

A little background. A few weeks ago I noticed a series of "warning, got bogus unix line." messages in my daily cron job's emails. Too busy, I ignored them for a while. Eventually I took the time to do a little investigating. After some checking, I discovered the line was coming from chkrootkit. This made me pay attention! ...so I dug in further. I Googled a bit, and found numerous references to virus infected systems with root kits installed. What differed with my situation is my chkrootkit wasn't saying anything about a virus, it was saying "got bogus unix line."

So I read the man page for chkrootkit in greater detail and found the "-d" parameter (debug mode). I ran it this way and found it was running netstat when it got the "bogus unix line" message. I tried running netstat by itself: 

netstat -anp
and found I consistently got the "bogus" message. What was not consistent was where it appeared in the listing. This was confusing. It also made me nervous. What if my server was compromised, and the virus was smart enough to hide itself from my netstat inquiries? After a little experimenting, I found I didn't get the "bogus" message using 
netstat -an --tcp
or using 
netstat -an --udp
More Googling found a copy of the netstat source code and illustrated the "got bogus unix line" message only applied to unix domain sockets, not to tcp or udp. More experimenting and I finally stumbled on 
netstat -anp --unix 2>&1 | grep bogus
returned consistent results, and the culprit was uml-utilities!

Armed with consistent results from netstat, I turned uml-utilities off using 

/etc/init.d/uml-utilities stop
and ran the netstat command again. No Error! I turned it back on, ran the netstat command, and the error re-appeared,

So, the resolution was to re-install the package, using

apt-get install --reinstall uml-utilities
Once reinstalled, I started uml-utilities and tried netstat again. No Error!

I have neglected to mention this is a debian sarge installation using a 2.6.9 kernel.

I hope this saves at least one other person 1) the worry of thinking their server has been compromised, and 2) the time spent tracking it down! If you find this helpful, please take a moment to drop me a message using this link.

Comments

Add your comments

Name:
E-Mail:   We will not display your email address.
Comments:

 
 

Copyright ©2008 Morgan-Systems.com