Morgan Systems
Find 
  Development Notes and Bugfixes  
   

Select Article

We burn the midnight oil so you don't have to.
 
   
   
   
   
   
   
   
   
   
   
   
   






 

Got bogus unix line

UML Utilities/missing kernel hooks cause misleading error

Warning, Got Bogus UNIX Line
Re: netstat returns "warning, got bogus unix line."
Resolution: stop uml-utilities
10/05/2005

Quick update. After my next boot I found the problem is back. I stopped uml-utilities and the problem went away. I don't think I added uml hooks into the kernel the last time I compiled it. I now suspect this error is related to that condition. (I have UML on another box, with the kernel hooks in place and it does not throw the same error with netstat...)


Resolution: Re-install debian package uml-utilities
09/26/2005

This note is more a footnote than anything, and really doesn't answer the question "Why am I getting this error"

A little background. A few weeks ago I noticed a series of "warning, got bogus unix line." messages in my daily cron job's emails. Too busy, I ignored them for a while. Eventually I took the time to do a little investigating. After some checking, I discovered the line was coming from chkrootkit. This made me pay attention! ...so I dug in further. I Googled a bit, and found numerous references to virus infected systems with root kits installed. What differed with my situation is my chkrootkit wasn't saying anything about a virus, it was saying "got bogus unix line."

So I read the man page for chkrootkit in greater detail and found the "-d" parameter (debug mode). I ran it this way and found it was running netstat when it got the "bogus unix line" message. I tried running netstat by itself:

netstat -anp
and found I consistently got the "bogus" message. What was not consistent was where it appeared in the listing. This was confusing. It also made me nervous. What if my server was compromised, and the virus was smart enough to hide itself from my netstat inquiries? After a little experimenting, I found I didn't get the "bogus" message using
netstat -an --tcp
or using
netstat -an --udp
More Googling found a copy of the netstat source code and illustrated the "got bogus unix line" message only applied to unix domain sockets, not to tcp or udp. More experimenting and I finally stumbled on
netstat -anp --unix 2>&1 | grep bogus
returned consistent results, and the culprit was uml-utilities!

Armed with consistent results from netstat, I turned uml-utilities off using

/etc/init.d/uml-utilities stop
and ran the netstat command again. No Error! I turned it back on, ran the netstat command, and the error re-appeared,

So, the resolution was to re-install the package, using

apt-get install --reinstall uml-utilities
Once reinstalled, I started uml-utilities and tried netstat again. No Error!

I have neglected to mention this is a debian sarge installation using a 2.6.9 kernel.

I hope this saves at least one other person 1) the worry of thinking their server has been compromised, and 2) the time spent tracking it down! If you find this helpful, please take a moment to drop me a message using this link.

Comments

Add your comments

Name:
E-Mail:   We will not display your email address.
Comments: