Got bogus unix line
UML Utilities/missing kernel hooks cause misleading error
Warning, Got Bogus UNIX Line
Re: netstat returns "warning, got bogus unix line."
Resolution: stop uml-utilities
Quick update. After my next boot I found the problem is back. I stopped uml-utilities and the problem
went away. I don't think I added uml hooks into the kernel the last time I compiled it. I now suspect this
error is related to that condition. (I have UML on another box, with the kernel hooks in place and it does not
throw the same error with netstat...)
Resolution: Re-install debian package uml-utilities
This note is more a footnote than anything, and really doesn't answer the question "Why am I getting this error"
A little background. A few weeks ago I noticed a series of "warning, got bogus unix line." messages
in my daily cron job's emails. Too busy, I ignored them for a while. Eventually I took the time to do a little
investigating. After some checking, I discovered the line was coming from chkrootkit. This made me pay attention! ...so I dug
in further. I Googled a bit, and found numerous references to virus infected systems with root kits installed. What differed
with my situation is my chkrootkit wasn't saying anything about a virus, it was saying "got bogus unix line."
So I read the man page for chkrootkit in greater detail and found the "-d" parameter (debug mode). I ran it this way and found
it was running netstat when it got the "bogus unix line" message. I tried running netstat by itself:
netstat -anp and
found I consistently got the "bogus" message. What was not consistent was where it appeared in the listing. This was confusing. It
also made me nervous. What if my server was compromised, and the virus was smart enough to hide itself from my netstat inquiries?
After a little experimenting, I found I didn't get the "bogus" message using
netstat -an --tcp or using
netstat -an --udpMore Googling found
a copy of the netstat source code and illustrated the "got bogus unix line" message only applied to unix domain sockets, not to
tcp or udp. More experimenting and I finally stumbled on
netstat -anp --unix 2>&1 | grep bogusreturned consistent results,
and the culprit was uml-utilities!
Armed with consistent results from netstat, I turned uml-utilities off using
/etc/init.d/uml-utilities stop and ran
the netstat command again. No Error! I turned it back on, ran the netstat command, and the error re-appeared,
So, the resolution was to re-install the package, using
apt-get install --reinstall uml-utilitiesOnce reinstalled,
I started uml-utilities and tried netstat again. No Error!
I have neglected to mention this is a debian sarge installation using a 2.6.9 kernel.
I hope this saves at least one other person 1) the worry of thinking their server has been compromised, and 2) the
time spent tracking it down! If you find this helpful, please take a moment to drop me a message using