[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4916a7fcc02d4913cb28f519e968605d@smtp.hushmail.com>
Date: Tue, 17 Mar 2020 11:28:28 +0000
From: Paweł Krawczyk <pawel.krawczyk@...h.com>
To: lkrg-users@...ts.openwall.com
Subject: ERROR: Can't hook execve syscall
Latest lkrg-main crashes on insmod - the system has Secure Boot enabled,
MOK loaded and the module is signed using ksignmod, not sure if this
matters?
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 19.10
Release: 19.10
Codename: eoan
# insmod p_lkrg.ko
[49239.907612] [p_lkrg] Loading LKRG...
[49239.912796] Freezing user space processes ... (elapsed 0.148 seconds)
done.
[49240.061763] OOM killer disabled.
[49240.061767] [p_lkrg] Verifying 21 potential UMH paths for whitelisting...
[49240.061943] [p_lkrg] 4 UMH paths were whitelisted...
[49240.119520] [p_lkrg] [kretprobe] register_kretprobe() for
<__x64_sys_execve> failed! [err=-1]
[49240.120340] [p_lkrg] ERROR: Can't hook execve syscall :(
[49240.121295]
=============================================================================
[49240.122121] BUG p_ed_pids (Tainted: P B O ): Objects
remaining in p_ed_pids on __kmem_cache_shutdown()
[49240.122970]
-----------------------------------------------------------------------------
[49240.124689] INFO: Slab 0x0000000024482916 objects=16 used=12
fp=0x00000000c7a2d8f7 flags=0x17ffffc0010200
[49240.125590] CPU: 1 PID: 2457 Comm: insmod Tainted: P B O
5.3.0-42-generic #34-Ubuntu
[49240.125591] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant
MicroServer Gen10, BIOS 5.12 06/26/2018
[49240.125592] Call Trace:
[49240.125602] dump_stack+0x6d/0x9a
[49240.125604] slab_err+0xb7/0xdc
[49240.125607] __kmem_cache_shutdown.cold+0x37/0x123
[49240.125610] shutdown_cache+0x16/0x160
[49240.125611] kmem_cache_destroy+0x217/0x230
[49240.125628] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg]
[49240.125636] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg]
[49240.125643] p_exploit_detection_exit+0x118/0x130 [p_lkrg]
[49240.125651] p_exploit_detection_init+0x514/0x8c0 [p_lkrg]
[49240.125653] ? 0xffffffffc14c0000
[49240.125660] p_lkrg_register+0x103/0x1000 [p_lkrg]
[49240.125661] ? 0xffffffffc14c0000
[49240.125663] do_one_initcall+0x4a/0x1fa
[49240.125665] ? kmem_cache_alloc_trace+0x163/0x230
[49240.125667] do_init_module+0x62/0x250
[49240.125669] load_module+0x10d4/0x1220
[49240.125672] __do_sys_finit_module+0xbe/0x120
[49240.125674] ? __do_sys_finit_module+0xbe/0x120
[49240.125676] __x64_sys_finit_module+0x1a/0x20
[49240.125678] do_syscall_64+0x5a/0x130
[49240.125681] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[49240.125682] RIP: 0033:0x7fd5fcaf994d
[49240.125685] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48
[49240.125686] RSP: 002b:00007fff75d565d8 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[49240.125688] RAX: ffffffffffffffda RBX: 0000562eaf294790 RCX:
00007fd5fcaf994d
[49240.125689] RDX: 0000000000000000 RSI: 0000562ead7f93f0 RDI:
0000000000000003
[49240.125689] RBP: 0000562ead7f93f0 R08: 0000000000000000 R09:
00007fd5fcbcc240
[49240.125690] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[49240.125691] R13: 0000562eaf294760 R14: 0000000000000000 R15:
0000000000000000
[49240.125693] INFO: Object 0x00000000ab512677 @offset=64
[49240.126579] INFO: Object 0x000000009b4608e4 @offset=576
[49240.127448] INFO: Object 0x000000008d78d16e @offset=1088
[49240.128307] INFO: Object 0x00000000b839ef80 @offset=3136
[49240.129234] INFO: Object 0x00000000dffe77d5 @offset=3648
[49240.130135] INFO: Object 0x000000003cbf05cb @offset=4160
[49240.131034] INFO: Object 0x0000000021ffbda7 @offset=4672
[49240.131928] INFO: Object 0x0000000033a21efb @offset=5184
[49240.132812] INFO: Object 0x00000000fe6088a2 @offset=5696
[49240.133686] INFO: Object 0x0000000025d60964 @offset=6208
[49240.134557] INFO: Object 0x00000000f6d0cf84 @offset=6720
[49240.135418] INFO: Object 0x0000000066b20dcc @offset=7744
[49240.136271]
=============================================================================
[49240.137137] BUG p_ed_pids (Tainted: P B O ): Objects
remaining in p_ed_pids on __kmem_cache_shutdown()
[49240.138022]
-----------------------------------------------------------------------------
[49240.139770] INFO: Slab 0x000000001677baa7 objects=16 used=2
fp=0x000000002530c442 flags=0x17ffffc0010200
[49240.140662] CPU: 1 PID: 2457 Comm: insmod Tainted: P B O
5.3.0-42-generic #34-Ubuntu
[49240.140662] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant
MicroServer Gen10, BIOS 5.12 06/26/2018
[49240.140663] Call Trace:
[49240.140665] dump_stack+0x6d/0x9a
[49240.140667] slab_err+0xb7/0xdc
[49240.140670] __kmem_cache_shutdown.cold+0x37/0x123
[49240.140672] shutdown_cache+0x16/0x160
[49240.140673] kmem_cache_destroy+0x217/0x230
[49240.140681] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg]
[49240.140689] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg]
[49240.140698] p_exploit_detection_exit+0x118/0x130 [p_lkrg]
[49240.140705] p_exploit_detection_init+0x514/0x8c0 [p_lkrg]
[49240.140707] ? 0xffffffffc14c0000
[49240.140714] p_lkrg_register+0x103/0x1000 [p_lkrg]
[49240.140715] ? 0xffffffffc14c0000
[49240.140716] do_one_initcall+0x4a/0x1fa
[49240.140718] ? kmem_cache_alloc_trace+0x163/0x230
[49240.140720] do_init_module+0x62/0x250
[49240.140721] load_module+0x10d4/0x1220
[49240.140724] __do_sys_finit_module+0xbe/0x120
[49240.140726] ? __do_sys_finit_module+0xbe/0x120
[49240.140728] __x64_sys_finit_module+0x1a/0x20
[49240.140730] do_syscall_64+0x5a/0x130
[49240.140731] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[49240.140732] RIP: 0033:0x7fd5fcaf994d
[49240.140734] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48
[49240.140735] RSP: 002b:00007fff75d565d8 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[49240.140736] RAX: ffffffffffffffda RBX: 0000562eaf294790 RCX:
00007fd5fcaf994d
[49240.140737] RDX: 0000000000000000 RSI: 0000562ead7f93f0 RDI:
0000000000000003
[49240.140738] RBP: 0000562ead7f93f0 R08: 0000000000000000 R09:
00007fd5fcbcc240
[49240.140739] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[49240.140739] R13: 0000562eaf294760 R14: 0000000000000000 R15:
0000000000000000
[49240.140741] INFO: Object 0x00000000a6813070 @offset=3136
[49240.141629] INFO: Object 0x000000009ceab088 @offset=7232
[49240.142509]
=============================================================================
[49240.143397] BUG p_ed_pids (Tainted: P B O ): Objects
remaining in p_ed_pids on __kmem_cache_shutdown()
[49240.144298]
-----------------------------------------------------------------------------
[49240.146100] INFO: Slab 0x0000000036ce7957 objects=16 used=2
fp=0x000000001bf84bf9 flags=0x17ffffc0010200
[49240.147040] CPU: 1 PID: 2457 Comm: insmod Tainted: P B O
5.3.0-42-generic #34-Ubuntu
[49240.147040] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant
MicroServer Gen10, BIOS 5.12 06/26/2018
[49240.147041] Call Trace:
[49240.147043] dump_stack+0x6d/0x9a
[49240.147045] slab_err+0xb7/0xdc
[49240.147048] __kmem_cache_shutdown.cold+0x37/0x123
[49240.147049] shutdown_cache+0x16/0x160
[49240.147051] kmem_cache_destroy+0x217/0x230
[49240.147059] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg]
[49240.147067] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg]
[49240.147075] p_exploit_detection_exit+0x118/0x130 [p_lkrg]
[49240.147083] p_exploit_detection_init+0x514/0x8c0 [p_lkrg]
[49240.147084] ? 0xffffffffc14c0000
[49240.147091] p_lkrg_register+0x103/0x1000 [p_lkrg]
[49240.147092] ? 0xffffffffc14c0000
[49240.147094] do_one_initcall+0x4a/0x1fa
[49240.147095] ? kmem_cache_alloc_trace+0x163/0x230
[49240.147097] do_init_module+0x62/0x250
[49240.147099] load_module+0x10d4/0x1220
[49240.147102] __do_sys_finit_module+0xbe/0x120
[49240.147103] ? __do_sys_finit_module+0xbe/0x120
[49240.147105] __x64_sys_finit_module+0x1a/0x20
[49240.147107] do_syscall_64+0x5a/0x130
[49240.147109] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[49240.147109] RIP: 0033:0x7fd5fcaf994d
[49240.147111] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48
[49240.147112] RSP: 002b:00007fff75d565d8 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[49240.147113] RAX: ffffffffffffffda RBX: 0000562eaf294790 RCX:
00007fd5fcaf994d
[49240.147114] RDX: 0000000000000000 RSI: 0000562ead7f93f0 RDI:
0000000000000003
[49240.147114] RBP: 0000562ead7f93f0 R08: 0000000000000000 R09:
00007fd5fcbcc240
[49240.147115] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[49240.147116] R13: 0000562eaf294760 R14: 0000000000000000 R15:
0000000000000000
[49240.147118] INFO: Object 0x000000000e9ccf4a @offset=2112
[49240.148057] INFO: Object 0x00000000239d25d3 @offset=7744
[49240.148993]
=============================================================================
[49240.150017] BUG p_ed_pids (Tainted: P B O ): Objects
remaining in p_ed_pids on __kmem_cache_shutdown()
[49240.151109]
-----------------------------------------------------------------------------
[49240.153322] INFO: Slab 0x000000005fe2f05a objects=16 used=4
fp=0x000000008dd30bc1 flags=0x17ffffc0010200
[49240.154470] CPU: 1 PID: 2457 Comm: insmod Tainted: P B O
5.3.0-42-generic #34-Ubuntu
[49240.154470] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant
MicroServer Gen10, BIOS 5.12 06/26/2018
[49240.154471] Call Trace:
[49240.154473] dump_stack+0x6d/0x9a
[49240.154475] slab_err+0xb7/0xdc
[49240.154478] __kmem_cache_shutdown.cold+0x37/0x123
[49240.154480] shutdown_cache+0x16/0x160
[49240.154482] kmem_cache_destroy+0x217/0x230
[49240.154490] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg]
[49240.154499] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg]
[49240.154508] p_exploit_detection_exit+0x118/0x130 [p_lkrg]
[49240.154517] p_exploit_detection_init+0x514/0x8c0 [p_lkrg]
[49240.154518] ? 0xffffffffc14c0000
[49240.154526] p_lkrg_register+0x103/0x1000 [p_lkrg]
[49240.154527] ? 0xffffffffc14c0000
[49240.154529] do_one_initcall+0x4a/0x1fa
[49240.154531] ? kmem_cache_alloc_trace+0x163/0x230
[49240.154533] do_init_module+0x62/0x250
[49240.154534] load_module+0x10d4/0x1220
[49240.154538] __do_sys_finit_module+0xbe/0x120
[49240.154539] ? __do_sys_finit_module+0xbe/0x120
[49240.154542] __x64_sys_finit_module+0x1a/0x20
[49240.154544] do_syscall_64+0x5a/0x130
[49240.154546] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[49240.154547] RIP: 0033:0x7fd5fcaf994d
[49240.154548] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48
[49240.154549] RSP: 002b:00007fff75d565d8 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[49240.154550] RAX: ffffffffffffffda RBX: 0000562eaf294790 RCX:
00007fd5fcaf994d
[49240.154551] RDX: 0000000000000000 RSI: 0000562ead7f93f0 RDI:
0000000000000003
[49240.154552] RBP: 0000562ead7f93f0 R08: 0000000000000000 R09:
00007fd5fcbcc240
[49240.154553] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[49240.154553] R13: 0000562eaf294760 R14: 0000000000000000 R15:
0000000000000000
[49240.154556] INFO: Object 0x000000006bd437c4 @offset=1088
[49240.155712] INFO: Object 0x00000000a64d8b8b @offset=3648
[49240.156870] INFO: Object 0x00000000df16bf87 @offset=4160
[49240.157974] INFO: Object 0x0000000000b41ea7 @offset=6720
[49240.159093] kmem_cache_destroy p_ed_pids: Slab cache still has objects
[49240.160155] CPU: 1 PID: 2457 Comm: insmod Tainted: P B O
5.3.0-42-generic #34-Ubuntu
[49240.160156] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant
MicroServer Gen10, BIOS 5.12 06/26/2018
[49240.160157] Call Trace:
[49240.160159] dump_stack+0x6d/0x9a
[49240.160162] kmem_cache_destroy.cold+0x15/0x1a
[49240.160170] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg]
[49240.160179] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg]
[49240.160188] p_exploit_detection_exit+0x118/0x130 [p_lkrg]
[49240.160196] p_exploit_detection_init+0x514/0x8c0 [p_lkrg]
[49240.160198] ? 0xffffffffc14c0000
[49240.160205] p_lkrg_register+0x103/0x1000 [p_lkrg]
[49240.160207] ? 0xffffffffc14c0000
[49240.160208] do_one_initcall+0x4a/0x1fa
[49240.160210] ? kmem_cache_alloc_trace+0x163/0x230
[49240.160212] do_init_module+0x62/0x250
[49240.160214] load_module+0x10d4/0x1220
[49240.160217] __do_sys_finit_module+0xbe/0x120
[49240.160219] ? __do_sys_finit_module+0xbe/0x120
[49240.160221] __x64_sys_finit_module+0x1a/0x20
[49240.160223] do_syscall_64+0x5a/0x130
[49240.160225] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[49240.160226] RIP: 0033:0x7fd5fcaf994d
[49240.160228] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48
[49240.160229] RSP: 002b:00007fff75d565d8 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[49240.160230] RAX: ffffffffffffffda RBX: 0000562eaf294790 RCX:
00007fd5fcaf994d
[49240.160231] RDX: 0000000000000000 RSI: 0000562ead7f93f0 RDI:
0000000000000003
[49240.160232] RBP: 0000562ead7f93f0 R08: 0000000000000000 R09:
00007fd5fcbcc240
[49240.160232] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[49240.160233] R13: 0000562eaf294760 R14: 0000000000000000 R15:
0000000000000000
[49240.160235] [p_lkrg] Can't initialize exploit detection features!
Exiting...
[49240.161319] OOM killer enabled.
[49240.161319] Restarting tasks ... done.
[49252.906151] IN IN=ppp0 OUT= MAC= SRC=114.33.117.199 DST=91.135.7.108
LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=44728 PROTO=TCP SPT=28663 DPT=52869
WINDOW=43332 RES=0x00 SYN URGP=0
[49257.347638] IN IN=ppp0 OUT= MAC= SRC=185.176.27.250 DST=91.135.7.108
LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=37512 PROTO=TCP SPT=54462 DPT=51852
WINDOW=1024 RES=0x00 SYN URGP=0
[49257.357381] FWD IN=ppp0 OUT=ppp0 MAC=
SRC=2001:0bb6:360f:9458:be76:5eff:fe9b:ea8d
DST=2a02:0390:feed:79ef:65df:287e:876d:d569 LEN=152 TC=0 HOPLIMIT=51
FLOWLBL=0 PROTO=UDP SPT=6881 DPT=31338 LEN=112
[49265.332618] IN IN=ppp0 OUT= MAC= SRC=142.11.209.108 DST=91.135.7.108
LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=30808 PROTO=TCP SPT=40840 DPT=3383
WINDOW=1024 RES=0x00 SYN URGP=0
[49269.270580] IN IN=ppp0 OUT= MAC= SRC=71.6.167.142 DST=91.135.7.108
LEN=44 TOS=0x10 PREC=0x00 TTL=114 ID=31277 PROTO=TCP SPT=29011 DPT=5801
WINDOW=9662 RES=0x00 SYN URGP=0
[49277.989275] IN IN=ppp0 OUT= MAC= SRC=51.161.105.130 DST=91.135.7.108
LEN=40 TOS=0x14 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=44806
WINDOW=0 RES=0x00 RST URGP=0
[49284.275247] FWD IN=ppp0 OUT=enp2s0f1 MAC=
SRC=2a03:b0c0:0000:1010:0000:0000:0023:1001
DST=2a02:0390:79ef:caaa:6d27:51cb:74f4:29d3 LEN=60 TC=0 HOPLIMIT=55
FLOWLBL=945080 PROTO=TCP SPT=443 DPT=47460 WINDOW=0 RES=0x00 RST URGP=0
[49284.276421] FWD IN=ppp0 OUT=enp2s0f1 MAC=
SRC=2a03:b0c0:0000:1010:0000:0000:0023:1001
DST=2a02:0390:79ef:caaa:6d27:51cb:74f4:29d3 LEN=60 TC=0 HOPLIMIT=55
FLOWLBL=945080 PROTO=TCP SPT=443 DPT=47460 WINDOW=0 RES=0x00 RST URGP=0
[49312.237847] IN IN=ppp0 OUT= MAC= SRC=82.102.173.78 DST=91.135.7.108
LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=54891 PROTO=TCP SPT=55313 DPT=1443
WINDOW=1024 RES=0x00 SYN URGP=0
[49318.140589] FWD IN=ppp0 OUT=ppp0 MAC=
SRC=2408:84e7:04a1:ee05:b1c6:9822:755c:d744
DST=2a02:0390:feed:79ef:65df:287e:876d:d569 LEN=115 TC=0 HOPLIMIT=49
FLOWLBL=952431 PROTO=UDP SPT=52856 DPT=31338 LEN=75
[49329.979271] IN IN=ppp0 OUT= MAC= SRC=122.226.189.51 DST=91.135.7.108
LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=256 PROTO=TCP SPT=61391 DPT=60001
WINDOW=16384 RES=0x00 SYN URGP=0
[49335.666723] IN IN=ppp0 OUT= MAC= SRC=207.180.238.101 DST=91.135.7.108
LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=26640 PROTO=TCP SPT=47203 DPT=3351
WINDOW=1024 RES=0x00 SYN URGP=0
[49337.270712] IN IN=ppp0 OUT= MAC= SRC=172.104.88.91 DST=91.135.7.108
LEN=33 TOS=0x00 PREC=0x00 TTL=246 ID=54321 PROTO=UDP SPT=57310 DPT=3283
LEN=13
[49338.372027] FWD IN=ppp0 OUT=ppp0 MAC=
SRC=2a02:0c7f:50d6:2e00:09f3:9d71:f532:4224
DST=2a02:0390:feed:79ef:65df:287e:876d:d569 LEN=113 TC=0 HOPLIMIT=56
FLOWLBL=160990 PROTO=UDP SPT=13773 DPT=31338 LEN=73
[49350.912166] IN IN=ppp0 OUT= MAC= SRC=185.94.111.1 DST=91.135.7.108
LEN=43 TOS=0x00 PREC=0x00 TTL=247 ID=54321 PROTO=UDP SPT=34875 DPT=11211
LEN=23
[49359.459848] IN IN=ppp0 OUT= MAC= SRC=185.176.27.42 DST=91.135.7.108
LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=9752 PROTO=TCP SPT=46653 DPT=55103
WINDOW=1024 RES=0x00 SYN URGP=0
[49365.549297] IN IN=ppp0 OUT= MAC= SRC=185.216.140.34 DST=91.135.7.108
LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=3735 PROTO=TCP SPT=55902 DPT=3755
WINDOW=1024 RES=0x00 SYN URGP=0
[49370.957817] IN IN=ppp0 OUT= MAC= SRC=159.89.80.112 DST=91.135.7.108
LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=55447 DPT=22
WINDOW=65535 RES=0x00 SYN URGP=0
[49371.620777] FWD IN=ppp0 OUT=ppp0 MAC=
SRC=2001:0818:e809:7700:65b2:88a1:4c2b:5799
DST=2a02:0390:feed:79ef:65df:287e:876d:d569 LEN=119 TC=0 HOPLIMIT=52
FLOWLBL=664893 PROTO=UDP SPT=16650 DPT=31338 LEN=79
[49374.482523] IN IN=ppp0 OUT= MAC= SRC=185.216.140.34 DST=91.135.7.108
LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=23415 PROTO=TCP SPT=55902 DPT=6064
WINDOW=1024 RES=0x00 SYN URGP=0
[49381.141220] IN IN=ppp0 OUT= MAC= SRC=107.189.11.232 DST=91.135.7.108
LEN=40 TOS=0x08 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=53009 DPT=222
WINDOW=65535 RES=0x00 SYN URGP=0
[49388.644148] FWD IN=ppp0 OUT=enp2s0f1 MAC=
SRC=240e:00f7:4f01:000c:0000:0000:0000:0002
DST=2a02:0390:79ef:0000:0000:0000:de28:3748 LEN=64 TC=0 HOPLIMIT=240
FLOWLBL=0 PROTO=TCP SPT=42665 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
[49388.644330] FWD IN=ppp0 OUT=enp2s0f1 MAC=
SRC=240e:00f7:4f01:000c:0000:0000:0000:0002
DST=2a02:0390:79ef:0000:0000:0000:aaed:336c LEN=64 TC=0 HOPLIMIT=240
FLOWLBL=0 PROTO=TCP SPT=23822 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
[49388.644578] FWD IN=ppp0 OUT=enp2s0f1 MAC=
SRC=240e:00f7:4f01:000c:0000:0000:0000:0002
DST=2a02:0390:79ef:0000:0000:0000:d159:763e LEN=64 TC=0 HOPLIMIT=240
FLOWLBL=0 PROTO=TCP SPT=34037 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
[49388.645330] FWD IN=ppp0 OUT=enp2s0f1 MAC=
SRC=240e:00f7:4f01:000c:0000:0000:0000:0002
DST=2a02:0390:79ef:0000:0000:0000:914f:b1ea LEN=64 TC=0 HOPLIMIT=240
FLOWLBL=0 PROTO=TCP SPT=7507 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
[49388.645831] FWD IN=ppp0 OUT=enp2s0f1 MAC=
SRC=240e:00f7:4f01:000c:0000:0000:0000:0002
DST=2a02:0390:79ef:0000:0000:0000:046d:683e LEN=64 TC=0 HOPLIMIT=240
FLOWLBL=0 PROTO=TCP SPT=41512 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
[49392.042926] [p_lkrg] Loading LKRG...
[49392.047392] Freezing user space processes ... (elapsed 0.001 seconds)
done.
[49392.049291] OOM killer disabled.
[49392.049294] [p_lkrg] Verifying 21 potential UMH paths for whitelisting...
[49392.049397] [p_lkrg] 4 UMH paths were whitelisted...
[49392.078559] [p_lkrg] [kretprobe] register_kretprobe() for
<__x64_sys_execve> failed! [err=-1]
[49392.079367] [p_lkrg] ERROR: Can't hook execve syscall :(
[49392.080366]
=============================================================================
[49392.081240] BUG p_ed_pids (Tainted: P B O ): Objects
remaining in p_ed_pids on __kmem_cache_shutdown()
[49392.082136]
-----------------------------------------------------------------------------
[49392.083936] INFO: Slab 0x00000000e942caf2 objects=16 used=9
fp=0x00000000abd675a5 flags=0x17ffffc0010200
[49392.084873] CPU: 0 PID: 4448 Comm: insmod Tainted: P B O
5.3.0-42-generic #34-Ubuntu
[49392.084874] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant
MicroServer Gen10, BIOS 5.12 06/26/2018
[49392.084875] Call Trace:
[49392.084884] dump_stack+0x6d/0x9a
[49392.084888] slab_err+0xb7/0xdc
[49392.084890] __kmem_cache_shutdown.cold+0x37/0x123
[49392.084893] shutdown_cache+0x16/0x160
[49392.084895] kmem_cache_destroy+0x217/0x230
[49392.084913] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg]
[49392.084921] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg]
[49392.084929] p_exploit_detection_exit+0x118/0x130 [p_lkrg]
[49392.084937] p_exploit_detection_init+0x514/0x8c0 [p_lkrg]
[49392.084939] ? 0xffffffffc14c0000
[49392.084946] p_lkrg_register+0x103/0x1000 [p_lkrg]
[49392.084948] ? 0xffffffffc14c0000
[49392.084950] do_one_initcall+0x4a/0x1fa
[49392.084952] ? kmem_cache_alloc_trace+0x163/0x230
[49392.084955] do_init_module+0x62/0x250
[49392.084957] load_module+0x10d4/0x1220
[49392.084960] __do_sys_finit_module+0xbe/0x120
[49392.084961] ? __do_sys_finit_module+0xbe/0x120
[49392.084963] __x64_sys_finit_module+0x1a/0x20
[49392.084965] do_syscall_64+0x5a/0x130
[49392.084969] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[49392.084971] RIP: 0033:0x7f4e7eb3994d
[49392.084974] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48
[49392.084975] RSP: 002b:00007ffc9f1c90e8 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[49392.084977] RAX: ffffffffffffffda RBX: 000055baf0f15790 RCX:
00007f4e7eb3994d
[49392.084978] RDX: 0000000000000000 RSI: 000055baf0d243f0 RDI:
0000000000000003
[49392.084978] RBP: 000055baf0d243f0 R08: 0000000000000000 R09:
00007f4e7ec0c240
[49392.084979] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[49392.084980] R13: 000055baf0f15760 R14: 0000000000000000 R15:
0000000000000000
[49392.084982] INFO: Object 0x00000000f5717365 @offset=64
[49392.085960] INFO: Object 0x0000000061773205 @offset=576
[49392.087007] INFO: Object 0x00000000c1bb7148 @offset=1088
[49392.088044] INFO: Object 0x0000000039487805 @offset=1600
[49392.089078] INFO: Object 0x00000000515bdfb8 @offset=2624
[49392.090097] INFO: Object 0x000000002bd2e6db @offset=5696
[49392.091105] INFO: Object 0x00000000e6ef7231 @offset=6208
[49392.092115] INFO: Object 0x000000006338dc7d @offset=7232
[49392.093116] INFO: Object 0x00000000fa45fa08 @offset=7744
[49392.094116]
=============================================================================
[49392.095131] BUG p_ed_pids (Tainted: P B O ): Objects
remaining in p_ed_pids on __kmem_cache_shutdown()
[49392.096176]
-----------------------------------------------------------------------------
[49392.098288] INFO: Slab 0x00000000fcfc84c9 objects=16 used=10
fp=0x00000000c5116a0b flags=0x17ffffc0010200
[49392.099388] CPU: 0 PID: 4448 Comm: insmod Tainted: P B O
5.3.0-42-generic #34-Ubuntu
[49392.099389] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant
MicroServer Gen10, BIOS 5.12 06/26/2018
[49392.099390] Call Trace:
[49392.099392] dump_stack+0x6d/0x9a
[49392.099395] slab_err+0xb7/0xdc
[49392.099397] __kmem_cache_shutdown.cold+0x37/0x123
[49392.099400] shutdown_cache+0x16/0x160
[49392.099402] kmem_cache_destroy+0x217/0x230
[49392.099410] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg]
[49392.099419] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg]
[49392.099428] p_exploit_detection_exit+0x118/0x130 [p_lkrg]
[49392.099437] p_exploit_detection_init+0x514/0x8c0 [p_lkrg]
[49392.099439] ? 0xffffffffc14c0000
[49392.099446] p_lkrg_register+0x103/0x1000 [p_lkrg]
[49392.099448] ? 0xffffffffc14c0000
[49392.099450] do_one_initcall+0x4a/0x1fa
[49392.099452] ? kmem_cache_alloc_trace+0x163/0x230
[49392.099454] do_init_module+0x62/0x250
[49392.099455] load_module+0x10d4/0x1220
[49392.099459] __do_sys_finit_module+0xbe/0x120
[49392.099460] ? __do_sys_finit_module+0xbe/0x120
[49392.099463] __x64_sys_finit_module+0x1a/0x20
[49392.099465] do_syscall_64+0x5a/0x130
[49392.099467] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[49392.099468] RIP: 0033:0x7f4e7eb3994d
[49392.099470] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48
[49392.099471] RSP: 002b:00007ffc9f1c90e8 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[49392.099472] RAX: ffffffffffffffda RBX: 000055baf0f15790 RCX:
00007f4e7eb3994d
[49392.099473] RDX: 0000000000000000 RSI: 000055baf0d243f0 RDI:
0000000000000003
[49392.099474] RBP: 000055baf0d243f0 R08: 0000000000000000 R09:
00007f4e7ec0c240
[49392.099475] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[49392.099475] R13: 000055baf0f15760 R14: 0000000000000000 R15:
0000000000000000
[49392.099477] INFO: Object 0x0000000005d2db9b @offset=64
[49392.100579] INFO: Object 0x00000000a2fafc2b @offset=576
[49392.101675] INFO: Object 0x000000000779c959 @offset=1088
[49392.102764] INFO: Object 0x00000000cf3906b0 @offset=1600
[49392.103841] INFO: Object 0x000000000a73b627 @offset=2624
[49392.104916] INFO: Object 0x00000000d3535c4e @offset=3648
[49392.105988] INFO: Object 0x0000000024a6a240 @offset=4160
[49392.107063] INFO: Object 0x0000000009f029b6 @offset=4672
[49392.108132] INFO: Object 0x0000000049597653 @offset=5696
[49392.109193] INFO: Object 0x00000000eaf25132 @offset=6208
[49392.110250]
=============================================================================
[49392.111319] BUG p_ed_pids (Tainted: P B O ): Objects
remaining in p_ed_pids on __kmem_cache_shutdown()
[49392.112415]
-----------------------------------------------------------------------------
[49392.114626] INFO: Slab 0x000000003b1992e2 objects=16 used=3
fp=0x00000000ad59ad4c flags=0x17ffffc0010200
[49392.115777] CPU: 0 PID: 4448 Comm: insmod Tainted: P B O
5.3.0-42-generic #34-Ubuntu
[49392.115777] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant
MicroServer Gen10, BIOS 5.12 06/26/2018
[49392.115778] Call Trace:
[49392.115781] dump_stack+0x6d/0x9a
[49392.115783] slab_err+0xb7/0xdc
[49392.115785] __kmem_cache_shutdown.cold+0x37/0x123
[49392.115788] shutdown_cache+0x16/0x160
[49392.115789] kmem_cache_destroy+0x217/0x230
[49392.115798] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg]
[49392.115807] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg]
[49392.115817] p_exploit_detection_exit+0x118/0x130 [p_lkrg]
[49392.115826] p_exploit_detection_init+0x514/0x8c0 [p_lkrg]
[49392.115827] ? 0xffffffffc14c0000
[49392.115835] p_lkrg_register+0x103/0x1000 [p_lkrg]
[49392.115837] ? 0xffffffffc14c0000
[49392.115839] do_one_initcall+0x4a/0x1fa
[49392.115841] ? kmem_cache_alloc_trace+0x163/0x230
[49392.115842] do_init_module+0x62/0x250
[49392.115844] load_module+0x10d4/0x1220
[49392.115848] __do_sys_finit_module+0xbe/0x120
[49392.115849] ? __do_sys_finit_module+0xbe/0x120
[49392.115852] __x64_sys_finit_module+0x1a/0x20
[49392.115853] do_syscall_64+0x5a/0x130
[49392.115855] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[49392.115856] RIP: 0033:0x7f4e7eb3994d
[49392.115858] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48
[49392.115859] RSP: 002b:00007ffc9f1c90e8 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[49392.115860] RAX: ffffffffffffffda RBX: 000055baf0f15790 RCX:
00007f4e7eb3994d
[49392.115861] RDX: 0000000000000000 RSI: 000055baf0d243f0 RDI:
0000000000000003
[49392.115862] RBP: 000055baf0d243f0 R08: 0000000000000000 R09:
00007f4e7ec0c240
[49392.115863] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[49392.115863] R13: 000055baf0f15760 R14: 0000000000000000 R15:
0000000000000000
[49392.115866] INFO: Object 0x000000000b246cb1 @offset=576
[49392.117015] INFO: Object 0x000000002c77dc6d @offset=6208
[49392.118157] INFO: Object 0x00000000d54b4cc0 @offset=7232
[49392.119299]
=============================================================================
[49392.120465] BUG p_ed_pids (Tainted: P B O ): Objects
remaining in p_ed_pids on __kmem_cache_shutdown()
[49392.121631]
-----------------------------------------------------------------------------
[49392.123792] INFO: Slab 0x00000000ba9d25ca objects=16 used=6
fp=0x0000000063a0b344 flags=0x17ffffc0010200
[49392.124898] CPU: 0 PID: 4448 Comm: insmod Tainted: P B O
5.3.0-42-generic #34-Ubuntu
[49392.124899] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant
MicroServer Gen10, BIOS 5.12 06/26/2018
[49392.124900] Call Trace:
[49392.124902] dump_stack+0x6d/0x9a
[49392.124903] slab_err+0xb7/0xdc
[49392.124906] __kmem_cache_shutdown.cold+0x37/0x123
[49392.124908] shutdown_cache+0x16/0x160
[49392.124909] kmem_cache_destroy+0x217/0x230
[49392.124917] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg]
[49392.124925] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg]
[49392.124933] p_exploit_detection_exit+0x118/0x130 [p_lkrg]
[49392.124941] p_exploit_detection_init+0x514/0x8c0 [p_lkrg]
[49392.124943] ? 0xffffffffc14c0000
[49392.124950] p_lkrg_register+0x103/0x1000 [p_lkrg]
[49392.124951] ? 0xffffffffc14c0000
[49392.124952] do_one_initcall+0x4a/0x1fa
[49392.124954] ? kmem_cache_alloc_trace+0x163/0x230
[49392.124956] do_init_module+0x62/0x250
[49392.124957] load_module+0x10d4/0x1220
[49392.124960] __do_sys_finit_module+0xbe/0x120
[49392.124962] ? __do_sys_finit_module+0xbe/0x120
[49392.124964] __x64_sys_finit_module+0x1a/0x20
[49392.124965] do_syscall_64+0x5a/0x130
[49392.124967] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[49392.124968] RIP: 0033:0x7f4e7eb3994d
[49392.124969] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48
[49392.124970] RSP: 002b:00007ffc9f1c90e8 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[49392.124971] RAX: ffffffffffffffda RBX: 000055baf0f15790 RCX:
00007f4e7eb3994d
[49392.124972] RDX: 0000000000000000 RSI: 000055baf0d243f0 RDI:
0000000000000003
[49392.124973] RBP: 000055baf0d243f0 R08: 0000000000000000 R09:
00007f4e7ec0c240
[49392.124974] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[49392.124974] R13: 000055baf0f15760 R14: 0000000000000000 R15:
0000000000000000
[49392.124976] INFO: Object 0x0000000058424623 @offset=64
[49392.126081] INFO: Object 0x0000000072623c3d @offset=1600
[49392.127182] INFO: Object 0x0000000088a4551d @offset=2624
[49392.128280] INFO: Object 0x0000000014225fae @offset=4160
[49392.129376] INFO: Object 0x0000000049762c1d @offset=6720
[49392.130470] INFO: Object 0x00000000e54b4cea @offset=7744
[49392.131600] kmem_cache_destroy p_ed_pids: Slab cache still has objects
[49392.132713] CPU: 0 PID: 4448 Comm: insmod Tainted: P B O
5.3.0-42-generic #34-Ubuntu
[49392.132714] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant
MicroServer Gen10, BIOS 5.12 06/26/2018
[49392.132714] Call Trace:
[49392.132716] dump_stack+0x6d/0x9a
[49392.132719] kmem_cache_destroy.cold+0x15/0x1a
[49392.132727] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg]
[49392.132734] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg]
[49392.132743] p_exploit_detection_exit+0x118/0x130 [p_lkrg]
[49392.132751] p_exploit_detection_init+0x514/0x8c0 [p_lkrg]
[49392.132752] ? 0xffffffffc14c0000
[49392.132759] p_lkrg_register+0x103/0x1000 [p_lkrg]
[49392.132760] ? 0xffffffffc14c0000
[49392.132762] do_one_initcall+0x4a/0x1fa
[49392.132764] ? kmem_cache_alloc_trace+0x163/0x230
[49392.132765] do_init_module+0x62/0x250
[49392.132767] load_module+0x10d4/0x1220
[49392.132770] __do_sys_finit_module+0xbe/0x120
[49392.132771] ? __do_sys_finit_module+0xbe/0x120
[49392.132773] __x64_sys_finit_module+0x1a/0x20
[49392.132775] do_syscall_64+0x5a/0x130
[49392.132777] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[49392.132778] RIP: 0033:0x7f4e7eb3994d
[49392.132779] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48
[49392.132780] RSP: 002b:00007ffc9f1c90e8 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[49392.132781] RAX: ffffffffffffffda RBX: 000055baf0f15790 RCX:
00007f4e7eb3994d
[49392.132782] RDX: 0000000000000000 RSI: 000055baf0d243f0 RDI:
0000000000000003
[49392.132782] RBP: 000055baf0d243f0 R08: 0000000000000000 R09:
00007f4e7ec0c240
[49392.132783] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[49392.132784] R13: 000055baf0f15760 R14: 0000000000000000 R15:
0000000000000000
[49392.132786] [p_lkrg] Can't initialize exploit detection features!
Exiting...
[49392.133912] OOM killer enabled.
[49392.133912] Restarting tasks ... done.
[49396.074664] IN IN=ppp0 OUT= MAC= SRC=185.216.140.34 DST=91.135.7.108
LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=57112 PROTO=TCP SPT=55902 DPT=4560
WINDOW=1024 RES=0x00 SYN URGP=0
[49405.805365] IN IN=ppp0 OUT= MAC= SRC=93.174.93.72 DST=91.135.7.108
LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=17475 PROTO=TCP SPT=56667 DPT=4899
WINDOW=1024 RES=0x00 SYN URGP=0
[49409.967566] IN IN=ppp0 OUT= MAC= SRC=185.216.140.34 DST=91.135.7.108
LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=37250 PROTO=TCP SPT=55902 DPT=5112
WINDOW=1024 RES=0x00 SYN URGP=0
[49428.799972] IN IN=ppp0 OUT= MAC= SRC=45.143.220.35 DST=91.135.7.108
LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=12456 PROTO=TCP SPT=41293 DPT=8379
WINDOW=1024 RES=0x00 SYN URGP=0
[49448.338091] FWD IN=ppp0 OUT=ppp0 MAC=
SRC=2408:8221:6414:c010:2021:0da2:f7c2:4d2a
DST=2a02:0390:feed:79ef:65df:287e:876d:d569 LEN=115 TC=0 HOPLIMIT=240
FLOWLBL=0 PROTO=UDP SPT=52677 DPT=31338 LEN=75
[49456.402071] FWD IN=ppp0 OUT=enp2s0f1 MAC=
SRC=240e:00f7:4f01:000c:0000:0000:0000:0002
DST=2a02:0390:79ef:0000:0000:0000:76e5:11df LEN=64 TC=0 HOPLIMIT=240
FLOWLBL=0 PROTO=TCP SPT=31940 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0
[49456.407549] FWD IN=ppp0 OUT=enp2s0f1 MAC=
SRC=240e:00f7:4f01:000c:0000:0000:0000:0002
DST=2a02:0390:79ef:0000:0000:0000:9082:b96c LEN=64 TC=0 HOPLIMIT=240
FLOWLBL=0 PROTO=TCP SPT=20499 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0
[49456.407718] FWD IN=ppp0 OUT=enp2s0f1 MAC=
SRC=240e:00f7:4f01:000c:0000:0000:0000:0002
DST=2a02:0390:79ef:0000:0000:0000:1d3d:f1de LEN=64 TC=0 HOPLIMIT=240
FLOWLBL=0 PROTO=TCP SPT=58577 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0
[49456.426058] FWD IN=ppp0 OUT=enp2s0f1 MAC=
SRC=240e:00f7:4f01:000c:0000:0000:0000:0002
DST=2a02:0390:79ef:0000:0000:0000:9d51:54db LEN=64 TC=0 HOPLIMIT=240
FLOWLBL=0 PROTO=TCP SPT=17257 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0
[49456.426469] FWD IN=ppp0 OUT=enp2s0f1 MAC=
SRC=240e:00f7:4f01:000c:0000:0000:0000:0002
DST=2a02:0390:79ef:0000:0000:0000:03a0:49cd LEN=64 TC=0 HOPLIMIT=240
FLOWLBL=0 PROTO=TCP SPT=50737 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0
[49488.982431] IN IN=ppp0 OUT= MAC= SRC=185.216.140.252 DST=91.135.7.108
LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=42385 PROTO=TCP SPT=58118 DPT=55569
WINDOW=1024 RES=0x00 SYN URGP=0
[49489.022791] [p_lkrg] Loading LKRG...
[49489.027851] Freezing user space processes ... (elapsed 0.007 seconds)
done.
[49489.035070] OOM killer disabled.
[49489.035073] [p_lkrg] Verifying 21 potential UMH paths for whitelisting...
[49489.035166] [p_lkrg] 4 UMH paths were whitelisted...
[49489.062492] [p_lkrg] [kretprobe] register_kretprobe() for
<__x64_sys_execve> failed! [err=-1]
[49489.063577] [p_lkrg] ERROR: Can't hook execve syscall :(
[49489.070994]
=============================================================================
[49489.072029] BUG p_ed_pids (Tainted: P B O ): Objects
remaining in p_ed_pids on __kmem_cache_shutdown()
[49489.073062]
-----------------------------------------------------------------------------
[49489.075145] INFO: Slab 0x00000000529c1343 objects=16 used=10
fp=0x000000009be478b7 flags=0x17ffffc0010200
[49489.076211] CPU: 0 PID: 4542 Comm: insmod Tainted: P B O
5.3.0-42-generic #34-Ubuntu
[49489.076212] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant
MicroServer Gen10, BIOS 5.12 06/26/2018
[49489.076213] Call Trace:
[49489.076225] dump_stack+0x6d/0x9a
[49489.076229] slab_err+0xb7/0xdc
[49489.076233] __kmem_cache_shutdown.cold+0x37/0x123
[49489.076236] shutdown_cache+0x16/0x160
[49489.076238] kmem_cache_destroy+0x217/0x230
[49489.076257] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg]
[49489.076265] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg]
[49489.076273] p_exploit_detection_exit+0x118/0x130 [p_lkrg]
[49489.076280] p_exploit_detection_init+0x514/0x8c0 [p_lkrg]
[49489.076282] ? 0xffffffffc14c0000
[49489.076289] p_lkrg_register+0x103/0x1000 [p_lkrg]
[49489.076290] ? 0xffffffffc14c0000
[49489.076294] do_one_initcall+0x4a/0x1fa
[49489.076296] ? kmem_cache_alloc_trace+0x163/0x230
[49489.076299] do_init_module+0x62/0x250
[49489.076301] load_module+0x10d4/0x1220
[49489.076304] __do_sys_finit_module+0xbe/0x120
[49489.076306] ? __do_sys_finit_module+0xbe/0x120
[49489.076308] __x64_sys_finit_module+0x1a/0x20
[49489.076310] do_syscall_64+0x5a/0x130
[49489.076313] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[49489.076314] RIP: 0033:0x7f409b53194d
[49489.076317] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48
[49489.076318] RSP: 002b:00007fffd7e2b088 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[49489.076320] RAX: ffffffffffffffda RBX: 0000557d8b06a790 RCX:
00007f409b53194d
[49489.076321] RDX: 0000000000000000 RSI: 0000557d8a99e3f0 RDI:
0000000000000003
[49489.076322] RBP: 0000557d8a99e3f0 R08: 0000000000000000 R09:
00007f409b604240
[49489.076322] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[49489.076323] R13: 0000557d8b06a760 R14: 0000000000000000 R15:
0000000000000000
[49489.076325] INFO: Object 0x0000000043a90647 @offset=576
[49489.077422] INFO: Object 0x00000000d3520399 @offset=1600
[49489.078466] INFO: Object 0x00000000a53ba283 @offset=2112
[49489.079504] INFO: Object 0x00000000b2d07bd4 @offset=2624
[49489.080639] INFO: Object 0x0000000092730c13 @offset=3136
[49489.081723] INFO: Object 0x0000000094010b23 @offset=4160
[49489.082795] INFO: Object 0x000000004f783266 @offset=5184
[49489.083850] INFO: Object 0x00000000ab72696c @offset=5696
[49489.084885] INFO: Object 0x00000000762af032 @offset=7232
[49489.085899] INFO: Object 0x0000000029d7795d @offset=7744
[49489.086904]
=============================================================================
[49489.087909] BUG p_ed_pids (Tainted: P B O ): Objects
remaining in p_ed_pids on __kmem_cache_shutdown()
[49489.088922]
-----------------------------------------------------------------------------
[49489.090981] INFO: Slab 0x000000001e329e61 objects=16 used=1
fp=0x000000009956a488 flags=0x17ffffc0010200
[49489.092048] CPU: 0 PID: 4542 Comm: insmod Tainted: P B O
5.3.0-42-generic #34-Ubuntu
[49489.092049] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant
MicroServer Gen10, BIOS 5.12 06/26/2018
[49489.092049] Call Trace:
[49489.092052] dump_stack+0x6d/0x9a
[49489.092054] slab_err+0xb7/0xdc
[49489.092056] __kmem_cache_shutdown.cold+0x37/0x123
[49489.092058] shutdown_cache+0x16/0x160
[49489.092060] kmem_cache_destroy+0x217/0x230
[49489.092069] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg]
[49489.092077] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg]
[49489.092085] p_exploit_detection_exit+0x118/0x130 [p_lkrg]
[49489.092093] p_exploit_detection_init+0x514/0x8c0 [p_lkrg]
[49489.092094] ? 0xffffffffc14c0000
[49489.092102] p_lkrg_register+0x103/0x1000 [p_lkrg]
[49489.092103] ? 0xffffffffc14c0000
[49489.092104] do_one_initcall+0x4a/0x1fa
[49489.092106] ? kmem_cache_alloc_trace+0x163/0x230
[49489.092108] do_init_module+0x62/0x250
[49489.092110] load_module+0x10d4/0x1220
[49489.092113] __do_sys_finit_module+0xbe/0x120
[49489.092114] ? __do_sys_finit_module+0xbe/0x120
[49489.092116] __x64_sys_finit_module+0x1a/0x20
[49489.092118] do_syscall_64+0x5a/0x130
[49489.092120] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[49489.092121] RIP: 0033:0x7f409b53194d
[49489.092122] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48
[49489.092123] RSP: 002b:00007fffd7e2b088 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[49489.092125] RAX: ffffffffffffffda RBX: 0000557d8b06a790 RCX:
00007f409b53194d
[49489.092125] RDX: 0000000000000000 RSI: 0000557d8a99e3f0 RDI:
0000000000000003
[49489.092126] RBP: 0000557d8a99e3f0 R08: 0000000000000000 R09:
00007f409b604240
[49489.092127] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[49489.092128] R13: 0000557d8b06a760 R14: 0000000000000000 R15:
0000000000000000
[49489.092130] INFO: Object 0x00000000decec1c3 @offset=5184
[49489.093204]
=============================================================================
[49489.094298] BUG p_ed_pids (Tainted: P B O ): Objects
remaining in p_ed_pids on __kmem_cache_shutdown()
[49489.095419]
-----------------------------------------------------------------------------
[49489.097957] INFO: Slab 0x00000000f1949911 objects=16 used=3
fp=0x000000002ee3a843 flags=0x17ffffc0010200
[49489.099250] CPU: 0 PID: 4542 Comm: insmod Tainted: P B O
5.3.0-42-generic #34-Ubuntu
[49489.099251] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant
MicroServer Gen10, BIOS 5.12 06/26/2018
[49489.099251] Call Trace:
[49489.099254] dump_stack+0x6d/0x9a
[49489.099256] slab_err+0xb7/0xdc
[49489.099259] __kmem_cache_shutdown.cold+0x37/0x123
[49489.099261] shutdown_cache+0x16/0x160
[49489.099263] kmem_cache_destroy+0x217/0x230
[49489.099272] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg]
[49489.099280] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg]
[49489.099289] p_exploit_detection_exit+0x118/0x130 [p_lkrg]
[49489.099298] p_exploit_detection_init+0x514/0x8c0 [p_lkrg]
[49489.099300] ? 0xffffffffc14c0000
[49489.099308] p_lkrg_register+0x103/0x1000 [p_lkrg]
[49489.099309] ? 0xffffffffc14c0000
[49489.099311] do_one_initcall+0x4a/0x1fa
[49489.099313] ? kmem_cache_alloc_trace+0x163/0x230
[49489.099314] do_init_module+0x62/0x250
[49489.099316] load_module+0x10d4/0x1220
[49489.099320] __do_sys_finit_module+0xbe/0x120
[49489.099321] ? __do_sys_finit_module+0xbe/0x120
[49489.099324] __x64_sys_finit_module+0x1a/0x20
[49489.099325] do_syscall_64+0x5a/0x130
[49489.099327] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[49489.099328] RIP: 0033:0x7f409b53194d
[49489.099330] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48
[49489.099331] RSP: 002b:00007fffd7e2b088 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[49489.099332] RAX: ffffffffffffffda RBX: 0000557d8b06a790 RCX:
00007f409b53194d
[49489.099333] RDX: 0000000000000000 RSI: 0000557d8a99e3f0 RDI:
0000000000000003
[49489.099334] RBP: 0000557d8a99e3f0 R08: 0000000000000000 R09:
00007f409b604240
[49489.099334] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[49489.099335] R13: 0000557d8b06a760 R14: 0000000000000000 R15:
0000000000000000
[49489.099338] INFO: Object 0x000000008cfb70a8 @offset=2112
[49489.100609] INFO: Object 0x000000003d3c5997 @offset=3648
[49489.101857] INFO: Object 0x000000006893169e @offset=5184
[49489.103095]
=============================================================================
[49489.104332] BUG p_ed_pids (Tainted: P B O ): Objects
remaining in p_ed_pids on __kmem_cache_shutdown()
[49489.105579]
-----------------------------------------------------------------------------
[49489.108104] INFO: Slab 0x000000004b6de177 objects=16 used=4
fp=0x0000000063248568 flags=0x17ffffc0010200
[49489.109412] CPU: 0 PID: 4542 Comm: insmod Tainted: P B O
5.3.0-42-generic #34-Ubuntu
[49489.109413] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant
MicroServer Gen10, BIOS 5.12 06/26/2018
[49489.109414] Call Trace:
[49489.109416] dump_stack+0x6d/0x9a
[49489.109418] slab_err+0xb7/0xdc
[49489.109421] __kmem_cache_shutdown.cold+0x37/0x123
[49489.109423] shutdown_cache+0x16/0x160
[49489.109425] kmem_cache_destroy+0x217/0x230
[49489.109433] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg]
[49489.109442] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg]
[49489.109451] p_exploit_detection_exit+0x118/0x130 [p_lkrg]
[49489.109460] p_exploit_detection_init+0x514/0x8c0 [p_lkrg]
[49489.109461] ? 0xffffffffc14c0000
[49489.109469] p_lkrg_register+0x103/0x1000 [p_lkrg]
[49489.109470] ? 0xffffffffc14c0000
[49489.109472] do_one_initcall+0x4a/0x1fa
[49489.109474] ? kmem_cache_alloc_trace+0x163/0x230
[49489.109476] do_init_module+0x62/0x250
[49489.109478] load_module+0x10d4/0x1220
[49489.109481] __do_sys_finit_module+0xbe/0x120
[49489.109483] ? __do_sys_finit_module+0xbe/0x120
[49489.109485] __x64_sys_finit_module+0x1a/0x20
[49489.109487] do_syscall_64+0x5a/0x130
[49489.109489] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[49489.109490] RIP: 0033:0x7f409b53194d
[49489.109491] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48
[49489.109492] RSP: 002b:00007fffd7e2b088 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[49489.109493] RAX: ffffffffffffffda RBX: 0000557d8b06a790 RCX:
00007f409b53194d
[49489.109494] RDX: 0000000000000000 RSI: 0000557d8a99e3f0 RDI:
0000000000000003
[49489.109495] RBP: 0000557d8a99e3f0 R08: 0000000000000000 R09:
00007f409b604240
[49489.109496] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[49489.109497] R13: 0000557d8b06a760 R14: 0000000000000000 R15:
0000000000000000
[49489.109499] INFO: Object 0x00000000e01ff641 @offset=64
[49489.110809] INFO: Object 0x0000000025b87e4d @offset=4672
[49489.112119] INFO: Object 0x00000000b4f85daf @offset=6208
[49489.113431] INFO: Object 0x00000000293d92c2 @offset=7232
[49489.114800] kmem_cache_destroy p_ed_pids: Slab cache still has objects
[49489.116299] CPU: 0 PID: 4542 Comm: insmod Tainted: P B O
5.3.0-42-generic #34-Ubuntu
[49489.116299] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant
MicroServer Gen10, BIOS 5.12 06/26/2018
[49489.116300] Call Trace:
[49489.116303] dump_stack+0x6d/0x9a
[49489.116305] kmem_cache_destroy.cold+0x15/0x1a
[49489.116314] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg]
[49489.116323] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg]
[49489.116332] p_exploit_detection_exit+0x118/0x130 [p_lkrg]
[49489.116341] p_exploit_detection_init+0x514/0x8c0 [p_lkrg]
[49489.116342] ? 0xffffffffc14c0000
[49489.116350] p_lkrg_register+0x103/0x1000 [p_lkrg]
[49489.116351] ? 0xffffffffc14c0000
[49489.116353] do_one_initcall+0x4a/0x1fa
[49489.116355] ? kmem_cache_alloc_trace+0x163/0x230
[49489.116357] do_init_module+0x62/0x250
[49489.116359] load_module+0x10d4/0x1220
[49489.116362] __do_sys_finit_module+0xbe/0x120
[49489.116364] ? __do_sys_finit_module+0xbe/0x120
[49489.116366] __x64_sys_finit_module+0x1a/0x20
[49489.116368] do_syscall_64+0x5a/0x130
[49489.116370] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[49489.116371] RIP: 0033:0x7f409b53194d
[49489.116373] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48
[49489.116374] RSP: 002b:00007fffd7e2b088 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[49489.116375] RAX: ffffffffffffffda RBX: 0000557d8b06a790 RCX:
00007f409b53194d
[49489.116376] RDX: 0000000000000000 RSI: 0000557d8a99e3f0 RDI:
0000000000000003
[49489.116377] RBP: 0000557d8a99e3f0 R08: 0000000000000000 R09:
00007f409b604240
[49489.116378] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[49489.116378] R13: 0000557d8b06a760 R14: 0000000000000000 R15:
0000000000000000
[49489.116381] [p_lkrg] Can't initialize exploit detection features!
Exiting...
[49489.117881] OOM killer enabled.
[49489.117882] Restarting tasks ... done.
--
Paweł Krawczyk
+44 7879 180015
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
