|
Message-ID: <20200318033345.GA6006@pi3.com.pl> Date: Wed, 18 Mar 2020 04:33:45 +0100 From: Adam Zabrocki <pi3@....com.pl> To: lkrg-users@...ts.openwall.com Subject: Re: ERROR: Can't hook execve syscall Hi, The problem which you are hitting is connected to that: "the system has Secure Boot enabled," Currently, many Linux distributions apply custom patches for better support Secure Boot scenario. However, among others RedHat developed "kernel lockdown" patch. As part of that patch they essentially disabled *kprobes, for unknown to me reasons. LKRG is leveraging *kprobes to put essential hooks and under that specific patch it is not possible. We are aware about that problem and around 2018 I've tried to point that, they broke some of the essential kernel functionality. However, this mailthread didn't go anywhere. I'm going to poke them again that this became problematic since more people is hitting this issue. One way to workaround this problem is to disable SecureBoot. I don't know if it is possible to disable just pure lockdown without disabling SecureBoot (maybe it is). You can also recompile the distro kernel and remove problematic patch: https://patchwork.kernel.org/patch/10051295/ Thanks, Adam On Tue, Mar 17, 2020 at 11:28:28AM +0000, Pawe?? Krawczyk wrote: > Latest lkrg-main crashes on insmod - the system has Secure Boot enabled, > MOK loaded and the module is signed using ksignmod, not sure if this > matters? > > # lsb_release -a > No LSB modules are available. > Distributor ID: Ubuntu > Description: Ubuntu 19.10 > Release: 19.10 > Codename: eoan > > # insmod p_lkrg.ko > > [49239.907612] [p_lkrg] Loading LKRG... > [49239.912796] Freezing user space processes ... (elapsed 0.148 seconds) > done. > [49240.061763] OOM killer disabled. > [49240.061767] [p_lkrg] Verifying 21 potential UMH paths for whitelisting... > [49240.061943] [p_lkrg] 4 UMH paths were whitelisted... > [49240.119520] [p_lkrg] [kretprobe] register_kretprobe() for > <__x64_sys_execve> failed! [err=-1] > [49240.120340] [p_lkrg] ERROR: Can't hook execve syscall :( > [49240.121295] > ============================================================================= > [49240.122121] BUG p_ed_pids (Tainted: P B O ): Objects > remaining in p_ed_pids on __kmem_cache_shutdown() > [49240.122970] > ----------------------------------------------------------------------------- > > [49240.124689] INFO: Slab 0x0000000024482916 objects=16 used=12 > fp=0x00000000c7a2d8f7 flags=0x17ffffc0010200 > [49240.125590] CPU: 1 PID: 2457 Comm: insmod Tainted: P B O > 5.3.0-42-generic #34-Ubuntu > [49240.125591] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant > MicroServer Gen10, BIOS 5.12 06/26/2018 > [49240.125592] Call Trace: > [49240.125602] dump_stack+0x6d/0x9a > [49240.125604] slab_err+0xb7/0xdc > [49240.125607] __kmem_cache_shutdown.cold+0x37/0x123 > [49240.125610] shutdown_cache+0x16/0x160 > [49240.125611] kmem_cache_destroy+0x217/0x230 > [49240.125628] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg] > [49240.125636] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg] > [49240.125643] p_exploit_detection_exit+0x118/0x130 [p_lkrg] > [49240.125651] p_exploit_detection_init+0x514/0x8c0 [p_lkrg] > [49240.125653] ? 0xffffffffc14c0000 > [49240.125660] p_lkrg_register+0x103/0x1000 [p_lkrg] > [49240.125661] ? 0xffffffffc14c0000 > [49240.125663] do_one_initcall+0x4a/0x1fa > [49240.125665] ? kmem_cache_alloc_trace+0x163/0x230 > [49240.125667] do_init_module+0x62/0x250 > [49240.125669] load_module+0x10d4/0x1220 > [49240.125672] __do_sys_finit_module+0xbe/0x120 > [49240.125674] ? __do_sys_finit_module+0xbe/0x120 > [49240.125676] __x64_sys_finit_module+0x1a/0x20 > [49240.125678] do_syscall_64+0x5a/0x130 > [49240.125681] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [49240.125682] RIP: 0033:0x7fd5fcaf994d > [49240.125685] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa > 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48 > [49240.125686] RSP: 002b:00007fff75d565d8 EFLAGS: 00000246 ORIG_RAX: > 0000000000000139 > [49240.125688] RAX: ffffffffffffffda RBX: 0000562eaf294790 RCX: > 00007fd5fcaf994d > [49240.125689] RDX: 0000000000000000 RSI: 0000562ead7f93f0 RDI: > 0000000000000003 > [49240.125689] RBP: 0000562ead7f93f0 R08: 0000000000000000 R09: > 00007fd5fcbcc240 > [49240.125690] R10: 0000000000000003 R11: 0000000000000246 R12: > 0000000000000000 > [49240.125691] R13: 0000562eaf294760 R14: 0000000000000000 R15: > 0000000000000000 > [49240.125693] INFO: Object 0x00000000ab512677 @offset=64 > [49240.126579] INFO: Object 0x000000009b4608e4 @offset=576 > [49240.127448] INFO: Object 0x000000008d78d16e @offset=1088 > [49240.128307] INFO: Object 0x00000000b839ef80 @offset=3136 > [49240.129234] INFO: Object 0x00000000dffe77d5 @offset=3648 > [49240.130135] INFO: Object 0x000000003cbf05cb @offset=4160 > [49240.131034] INFO: Object 0x0000000021ffbda7 @offset=4672 > [49240.131928] INFO: Object 0x0000000033a21efb @offset=5184 > [49240.132812] INFO: Object 0x00000000fe6088a2 @offset=5696 > [49240.133686] INFO: Object 0x0000000025d60964 @offset=6208 > [49240.134557] INFO: Object 0x00000000f6d0cf84 @offset=6720 > [49240.135418] INFO: Object 0x0000000066b20dcc @offset=7744 > [49240.136271] > ============================================================================= > [49240.137137] BUG p_ed_pids (Tainted: P B O ): Objects > remaining in p_ed_pids on __kmem_cache_shutdown() > [49240.138022] > ----------------------------------------------------------------------------- > > [49240.139770] INFO: Slab 0x000000001677baa7 objects=16 used=2 > fp=0x000000002530c442 flags=0x17ffffc0010200 > [49240.140662] CPU: 1 PID: 2457 Comm: insmod Tainted: P B O > 5.3.0-42-generic #34-Ubuntu > [49240.140662] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant > MicroServer Gen10, BIOS 5.12 06/26/2018 > [49240.140663] Call Trace: > [49240.140665] dump_stack+0x6d/0x9a > [49240.140667] slab_err+0xb7/0xdc > [49240.140670] __kmem_cache_shutdown.cold+0x37/0x123 > [49240.140672] shutdown_cache+0x16/0x160 > [49240.140673] kmem_cache_destroy+0x217/0x230 > [49240.140681] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg] > [49240.140689] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg] > [49240.140698] p_exploit_detection_exit+0x118/0x130 [p_lkrg] > [49240.140705] p_exploit_detection_init+0x514/0x8c0 [p_lkrg] > [49240.140707] ? 0xffffffffc14c0000 > [49240.140714] p_lkrg_register+0x103/0x1000 [p_lkrg] > [49240.140715] ? 0xffffffffc14c0000 > [49240.140716] do_one_initcall+0x4a/0x1fa > [49240.140718] ? kmem_cache_alloc_trace+0x163/0x230 > [49240.140720] do_init_module+0x62/0x250 > [49240.140721] load_module+0x10d4/0x1220 > [49240.140724] __do_sys_finit_module+0xbe/0x120 > [49240.140726] ? __do_sys_finit_module+0xbe/0x120 > [49240.140728] __x64_sys_finit_module+0x1a/0x20 > [49240.140730] do_syscall_64+0x5a/0x130 > [49240.140731] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [49240.140732] RIP: 0033:0x7fd5fcaf994d > [49240.140734] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa > 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48 > [49240.140735] RSP: 002b:00007fff75d565d8 EFLAGS: 00000246 ORIG_RAX: > 0000000000000139 > [49240.140736] RAX: ffffffffffffffda RBX: 0000562eaf294790 RCX: > 00007fd5fcaf994d > [49240.140737] RDX: 0000000000000000 RSI: 0000562ead7f93f0 RDI: > 0000000000000003 > [49240.140738] RBP: 0000562ead7f93f0 R08: 0000000000000000 R09: > 00007fd5fcbcc240 > [49240.140739] R10: 0000000000000003 R11: 0000000000000246 R12: > 0000000000000000 > [49240.140739] R13: 0000562eaf294760 R14: 0000000000000000 R15: > 0000000000000000 > [49240.140741] INFO: Object 0x00000000a6813070 @offset=3136 > [49240.141629] INFO: Object 0x000000009ceab088 @offset=7232 > [49240.142509] > ============================================================================= > [49240.143397] BUG p_ed_pids (Tainted: P B O ): Objects > remaining in p_ed_pids on __kmem_cache_shutdown() > [49240.144298] > ----------------------------------------------------------------------------- > > [49240.146100] INFO: Slab 0x0000000036ce7957 objects=16 used=2 > fp=0x000000001bf84bf9 flags=0x17ffffc0010200 > [49240.147040] CPU: 1 PID: 2457 Comm: insmod Tainted: P B O > 5.3.0-42-generic #34-Ubuntu > [49240.147040] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant > MicroServer Gen10, BIOS 5.12 06/26/2018 > [49240.147041] Call Trace: > [49240.147043] dump_stack+0x6d/0x9a > [49240.147045] slab_err+0xb7/0xdc > [49240.147048] __kmem_cache_shutdown.cold+0x37/0x123 > [49240.147049] shutdown_cache+0x16/0x160 > [49240.147051] kmem_cache_destroy+0x217/0x230 > [49240.147059] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg] > [49240.147067] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg] > [49240.147075] p_exploit_detection_exit+0x118/0x130 [p_lkrg] > [49240.147083] p_exploit_detection_init+0x514/0x8c0 [p_lkrg] > [49240.147084] ? 0xffffffffc14c0000 > [49240.147091] p_lkrg_register+0x103/0x1000 [p_lkrg] > [49240.147092] ? 0xffffffffc14c0000 > [49240.147094] do_one_initcall+0x4a/0x1fa > [49240.147095] ? kmem_cache_alloc_trace+0x163/0x230 > [49240.147097] do_init_module+0x62/0x250 > [49240.147099] load_module+0x10d4/0x1220 > [49240.147102] __do_sys_finit_module+0xbe/0x120 > [49240.147103] ? __do_sys_finit_module+0xbe/0x120 > [49240.147105] __x64_sys_finit_module+0x1a/0x20 > [49240.147107] do_syscall_64+0x5a/0x130 > [49240.147109] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [49240.147109] RIP: 0033:0x7fd5fcaf994d > [49240.147111] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa > 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48 > [49240.147112] RSP: 002b:00007fff75d565d8 EFLAGS: 00000246 ORIG_RAX: > 0000000000000139 > [49240.147113] RAX: ffffffffffffffda RBX: 0000562eaf294790 RCX: > 00007fd5fcaf994d > [49240.147114] RDX: 0000000000000000 RSI: 0000562ead7f93f0 RDI: > 0000000000000003 > [49240.147114] RBP: 0000562ead7f93f0 R08: 0000000000000000 R09: > 00007fd5fcbcc240 > [49240.147115] R10: 0000000000000003 R11: 0000000000000246 R12: > 0000000000000000 > [49240.147116] R13: 0000562eaf294760 R14: 0000000000000000 R15: > 0000000000000000 > [49240.147118] INFO: Object 0x000000000e9ccf4a @offset=2112 > [49240.148057] INFO: Object 0x00000000239d25d3 @offset=7744 > [49240.148993] > ============================================================================= > [49240.150017] BUG p_ed_pids (Tainted: P B O ): Objects > remaining in p_ed_pids on __kmem_cache_shutdown() > [49240.151109] > ----------------------------------------------------------------------------- > > [49240.153322] INFO: Slab 0x000000005fe2f05a objects=16 used=4 > fp=0x000000008dd30bc1 flags=0x17ffffc0010200 > [49240.154470] CPU: 1 PID: 2457 Comm: insmod Tainted: P B O > 5.3.0-42-generic #34-Ubuntu > [49240.154470] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant > MicroServer Gen10, BIOS 5.12 06/26/2018 > [49240.154471] Call Trace: > [49240.154473] dump_stack+0x6d/0x9a > [49240.154475] slab_err+0xb7/0xdc > [49240.154478] __kmem_cache_shutdown.cold+0x37/0x123 > [49240.154480] shutdown_cache+0x16/0x160 > [49240.154482] kmem_cache_destroy+0x217/0x230 > [49240.154490] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg] > [49240.154499] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg] > [49240.154508] p_exploit_detection_exit+0x118/0x130 [p_lkrg] > [49240.154517] p_exploit_detection_init+0x514/0x8c0 [p_lkrg] > [49240.154518] ? 0xffffffffc14c0000 > [49240.154526] p_lkrg_register+0x103/0x1000 [p_lkrg] > [49240.154527] ? 0xffffffffc14c0000 > [49240.154529] do_one_initcall+0x4a/0x1fa > [49240.154531] ? kmem_cache_alloc_trace+0x163/0x230 > [49240.154533] do_init_module+0x62/0x250 > [49240.154534] load_module+0x10d4/0x1220 > [49240.154538] __do_sys_finit_module+0xbe/0x120 > [49240.154539] ? __do_sys_finit_module+0xbe/0x120 > [49240.154542] __x64_sys_finit_module+0x1a/0x20 > [49240.154544] do_syscall_64+0x5a/0x130 > [49240.154546] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [49240.154547] RIP: 0033:0x7fd5fcaf994d > [49240.154548] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa > 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48 > [49240.154549] RSP: 002b:00007fff75d565d8 EFLAGS: 00000246 ORIG_RAX: > 0000000000000139 > [49240.154550] RAX: ffffffffffffffda RBX: 0000562eaf294790 RCX: > 00007fd5fcaf994d > [49240.154551] RDX: 0000000000000000 RSI: 0000562ead7f93f0 RDI: > 0000000000000003 > [49240.154552] RBP: 0000562ead7f93f0 R08: 0000000000000000 R09: > 00007fd5fcbcc240 > [49240.154553] R10: 0000000000000003 R11: 0000000000000246 R12: > 0000000000000000 > [49240.154553] R13: 0000562eaf294760 R14: 0000000000000000 R15: > 0000000000000000 > [49240.154556] INFO: Object 0x000000006bd437c4 @offset=1088 > [49240.155712] INFO: Object 0x00000000a64d8b8b @offset=3648 > [49240.156870] INFO: Object 0x00000000df16bf87 @offset=4160 > [49240.157974] INFO: Object 0x0000000000b41ea7 @offset=6720 > [49240.159093] kmem_cache_destroy p_ed_pids: Slab cache still has objects > [49240.160155] CPU: 1 PID: 2457 Comm: insmod Tainted: P B O > 5.3.0-42-generic #34-Ubuntu > [49240.160156] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant > MicroServer Gen10, BIOS 5.12 06/26/2018 > [49240.160157] Call Trace: > [49240.160159] dump_stack+0x6d/0x9a > [49240.160162] kmem_cache_destroy.cold+0x15/0x1a > [49240.160170] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg] > [49240.160179] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg] > [49240.160188] p_exploit_detection_exit+0x118/0x130 [p_lkrg] > [49240.160196] p_exploit_detection_init+0x514/0x8c0 [p_lkrg] > [49240.160198] ? 0xffffffffc14c0000 > [49240.160205] p_lkrg_register+0x103/0x1000 [p_lkrg] > [49240.160207] ? 0xffffffffc14c0000 > [49240.160208] do_one_initcall+0x4a/0x1fa > [49240.160210] ? kmem_cache_alloc_trace+0x163/0x230 > [49240.160212] do_init_module+0x62/0x250 > [49240.160214] load_module+0x10d4/0x1220 > [49240.160217] __do_sys_finit_module+0xbe/0x120 > [49240.160219] ? __do_sys_finit_module+0xbe/0x120 > [49240.160221] __x64_sys_finit_module+0x1a/0x20 > [49240.160223] do_syscall_64+0x5a/0x130 > [49240.160225] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [49240.160226] RIP: 0033:0x7fd5fcaf994d > [49240.160228] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa > 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48 > [49240.160229] RSP: 002b:00007fff75d565d8 EFLAGS: 00000246 ORIG_RAX: > 0000000000000139 > [49240.160230] RAX: ffffffffffffffda RBX: 0000562eaf294790 RCX: > 00007fd5fcaf994d > [49240.160231] RDX: 0000000000000000 RSI: 0000562ead7f93f0 RDI: > 0000000000000003 > [49240.160232] RBP: 0000562ead7f93f0 R08: 0000000000000000 R09: > 00007fd5fcbcc240 > [49240.160232] R10: 0000000000000003 R11: 0000000000000246 R12: > 0000000000000000 > [49240.160233] R13: 0000562eaf294760 R14: 0000000000000000 R15: > 0000000000000000 > [49240.160235] [p_lkrg] Can't initialize exploit detection features! > Exiting... > [49240.161319] OOM killer enabled. > [49240.161319] Restarting tasks ... done. > [49252.906151] IN IN=ppp0 OUT= MAC= SRC=114.33.117.199 DST=91.135.7.108 > LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=44728 PROTO=TCP SPT=28663 DPT=52869 > WINDOW=43332 RES=0x00 SYN URGP=0 > [49257.347638] IN IN=ppp0 OUT= MAC= SRC=185.176.27.250 DST=91.135.7.108 > LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=37512 PROTO=TCP SPT=54462 DPT=51852 > WINDOW=1024 RES=0x00 SYN URGP=0 > [49257.357381] FWD IN=ppp0 OUT=ppp0 MAC= > SRC=2001:0bb6:360f:9458:be76:5eff:fe9b:ea8d > DST=2a02:0390:feed:79ef:65df:287e:876d:d569 LEN=152 TC=0 HOPLIMIT=51 > FLOWLBL=0 PROTO=UDP SPT=6881 DPT=31338 LEN=112 > [49265.332618] IN IN=ppp0 OUT= MAC= SRC=142.11.209.108 DST=91.135.7.108 > LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=30808 PROTO=TCP SPT=40840 DPT=3383 > WINDOW=1024 RES=0x00 SYN URGP=0 > [49269.270580] IN IN=ppp0 OUT= MAC= SRC=71.6.167.142 DST=91.135.7.108 > LEN=44 TOS=0x10 PREC=0x00 TTL=114 ID=31277 PROTO=TCP SPT=29011 DPT=5801 > WINDOW=9662 RES=0x00 SYN URGP=0 > [49277.989275] IN IN=ppp0 OUT= MAC= SRC=51.161.105.130 DST=91.135.7.108 > LEN=40 TOS=0x14 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=443 DPT=44806 > WINDOW=0 RES=0x00 RST URGP=0 > [49284.275247] FWD IN=ppp0 OUT=enp2s0f1 MAC= > SRC=2a03:b0c0:0000:1010:0000:0000:0023:1001 > DST=2a02:0390:79ef:caaa:6d27:51cb:74f4:29d3 LEN=60 TC=0 HOPLIMIT=55 > FLOWLBL=945080 PROTO=TCP SPT=443 DPT=47460 WINDOW=0 RES=0x00 RST URGP=0 > [49284.276421] FWD IN=ppp0 OUT=enp2s0f1 MAC= > SRC=2a03:b0c0:0000:1010:0000:0000:0023:1001 > DST=2a02:0390:79ef:caaa:6d27:51cb:74f4:29d3 LEN=60 TC=0 HOPLIMIT=55 > FLOWLBL=945080 PROTO=TCP SPT=443 DPT=47460 WINDOW=0 RES=0x00 RST URGP=0 > [49312.237847] IN IN=ppp0 OUT= MAC= SRC=82.102.173.78 DST=91.135.7.108 > LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=54891 PROTO=TCP SPT=55313 DPT=1443 > WINDOW=1024 RES=0x00 SYN URGP=0 > [49318.140589] FWD IN=ppp0 OUT=ppp0 MAC= > SRC=2408:84e7:04a1:ee05:b1c6:9822:755c:d744 > DST=2a02:0390:feed:79ef:65df:287e:876d:d569 LEN=115 TC=0 HOPLIMIT=49 > FLOWLBL=952431 PROTO=UDP SPT=52856 DPT=31338 LEN=75 > [49329.979271] IN IN=ppp0 OUT= MAC= SRC=122.226.189.51 DST=91.135.7.108 > LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=256 PROTO=TCP SPT=61391 DPT=60001 > WINDOW=16384 RES=0x00 SYN URGP=0 > [49335.666723] IN IN=ppp0 OUT= MAC= SRC=207.180.238.101 DST=91.135.7.108 > LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=26640 PROTO=TCP SPT=47203 DPT=3351 > WINDOW=1024 RES=0x00 SYN URGP=0 > [49337.270712] IN IN=ppp0 OUT= MAC= SRC=172.104.88.91 DST=91.135.7.108 > LEN=33 TOS=0x00 PREC=0x00 TTL=246 ID=54321 PROTO=UDP SPT=57310 DPT=3283 > LEN=13 > [49338.372027] FWD IN=ppp0 OUT=ppp0 MAC= > SRC=2a02:0c7f:50d6:2e00:09f3:9d71:f532:4224 > DST=2a02:0390:feed:79ef:65df:287e:876d:d569 LEN=113 TC=0 HOPLIMIT=56 > FLOWLBL=160990 PROTO=UDP SPT=13773 DPT=31338 LEN=73 > [49350.912166] IN IN=ppp0 OUT= MAC= SRC=185.94.111.1 DST=91.135.7.108 > LEN=43 TOS=0x00 PREC=0x00 TTL=247 ID=54321 PROTO=UDP SPT=34875 DPT=11211 > LEN=23 > [49359.459848] IN IN=ppp0 OUT= MAC= SRC=185.176.27.42 DST=91.135.7.108 > LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=9752 PROTO=TCP SPT=46653 DPT=55103 > WINDOW=1024 RES=0x00 SYN URGP=0 > [49365.549297] IN IN=ppp0 OUT= MAC= SRC=185.216.140.34 DST=91.135.7.108 > LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=3735 PROTO=TCP SPT=55902 DPT=3755 > WINDOW=1024 RES=0x00 SYN URGP=0 > [49370.957817] IN IN=ppp0 OUT= MAC= SRC=159.89.80.112 DST=91.135.7.108 > LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=55447 DPT=22 > WINDOW=65535 RES=0x00 SYN URGP=0 > [49371.620777] FWD IN=ppp0 OUT=ppp0 MAC= > SRC=2001:0818:e809:7700:65b2:88a1:4c2b:5799 > DST=2a02:0390:feed:79ef:65df:287e:876d:d569 LEN=119 TC=0 HOPLIMIT=52 > FLOWLBL=664893 PROTO=UDP SPT=16650 DPT=31338 LEN=79 > [49374.482523] IN IN=ppp0 OUT= MAC= SRC=185.216.140.34 DST=91.135.7.108 > LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=23415 PROTO=TCP SPT=55902 DPT=6064 > WINDOW=1024 RES=0x00 SYN URGP=0 > [49381.141220] IN IN=ppp0 OUT= MAC= SRC=107.189.11.232 DST=91.135.7.108 > LEN=40 TOS=0x08 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=53009 DPT=222 > WINDOW=65535 RES=0x00 SYN URGP=0 > [49388.644148] FWD IN=ppp0 OUT=enp2s0f1 MAC= > SRC=240e:00f7:4f01:000c:0000:0000:0000:0002 > DST=2a02:0390:79ef:0000:0000:0000:de28:3748 LEN=64 TC=0 HOPLIMIT=240 > FLOWLBL=0 PROTO=TCP SPT=42665 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 > [49388.644330] FWD IN=ppp0 OUT=enp2s0f1 MAC= > SRC=240e:00f7:4f01:000c:0000:0000:0000:0002 > DST=2a02:0390:79ef:0000:0000:0000:aaed:336c LEN=64 TC=0 HOPLIMIT=240 > FLOWLBL=0 PROTO=TCP SPT=23822 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 > [49388.644578] FWD IN=ppp0 OUT=enp2s0f1 MAC= > SRC=240e:00f7:4f01:000c:0000:0000:0000:0002 > DST=2a02:0390:79ef:0000:0000:0000:d159:763e LEN=64 TC=0 HOPLIMIT=240 > FLOWLBL=0 PROTO=TCP SPT=34037 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 > [49388.645330] FWD IN=ppp0 OUT=enp2s0f1 MAC= > SRC=240e:00f7:4f01:000c:0000:0000:0000:0002 > DST=2a02:0390:79ef:0000:0000:0000:914f:b1ea LEN=64 TC=0 HOPLIMIT=240 > FLOWLBL=0 PROTO=TCP SPT=7507 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 > [49388.645831] FWD IN=ppp0 OUT=enp2s0f1 MAC= > SRC=240e:00f7:4f01:000c:0000:0000:0000:0002 > DST=2a02:0390:79ef:0000:0000:0000:046d:683e LEN=64 TC=0 HOPLIMIT=240 > FLOWLBL=0 PROTO=TCP SPT=41512 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 > [49392.042926] [p_lkrg] Loading LKRG... > [49392.047392] Freezing user space processes ... (elapsed 0.001 seconds) > done. > [49392.049291] OOM killer disabled. > [49392.049294] [p_lkrg] Verifying 21 potential UMH paths for whitelisting... > [49392.049397] [p_lkrg] 4 UMH paths were whitelisted... > [49392.078559] [p_lkrg] [kretprobe] register_kretprobe() for > <__x64_sys_execve> failed! [err=-1] > [49392.079367] [p_lkrg] ERROR: Can't hook execve syscall :( > [49392.080366] > ============================================================================= > [49392.081240] BUG p_ed_pids (Tainted: P B O ): Objects > remaining in p_ed_pids on __kmem_cache_shutdown() > [49392.082136] > ----------------------------------------------------------------------------- > > [49392.083936] INFO: Slab 0x00000000e942caf2 objects=16 used=9 > fp=0x00000000abd675a5 flags=0x17ffffc0010200 > [49392.084873] CPU: 0 PID: 4448 Comm: insmod Tainted: P B O > 5.3.0-42-generic #34-Ubuntu > [49392.084874] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant > MicroServer Gen10, BIOS 5.12 06/26/2018 > [49392.084875] Call Trace: > [49392.084884] dump_stack+0x6d/0x9a > [49392.084888] slab_err+0xb7/0xdc > [49392.084890] __kmem_cache_shutdown.cold+0x37/0x123 > [49392.084893] shutdown_cache+0x16/0x160 > [49392.084895] kmem_cache_destroy+0x217/0x230 > [49392.084913] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg] > [49392.084921] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg] > [49392.084929] p_exploit_detection_exit+0x118/0x130 [p_lkrg] > [49392.084937] p_exploit_detection_init+0x514/0x8c0 [p_lkrg] > [49392.084939] ? 0xffffffffc14c0000 > [49392.084946] p_lkrg_register+0x103/0x1000 [p_lkrg] > [49392.084948] ? 0xffffffffc14c0000 > [49392.084950] do_one_initcall+0x4a/0x1fa > [49392.084952] ? kmem_cache_alloc_trace+0x163/0x230 > [49392.084955] do_init_module+0x62/0x250 > [49392.084957] load_module+0x10d4/0x1220 > [49392.084960] __do_sys_finit_module+0xbe/0x120 > [49392.084961] ? __do_sys_finit_module+0xbe/0x120 > [49392.084963] __x64_sys_finit_module+0x1a/0x20 > [49392.084965] do_syscall_64+0x5a/0x130 > [49392.084969] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [49392.084971] RIP: 0033:0x7f4e7eb3994d > [49392.084974] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa > 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48 > [49392.084975] RSP: 002b:00007ffc9f1c90e8 EFLAGS: 00000246 ORIG_RAX: > 0000000000000139 > [49392.084977] RAX: ffffffffffffffda RBX: 000055baf0f15790 RCX: > 00007f4e7eb3994d > [49392.084978] RDX: 0000000000000000 RSI: 000055baf0d243f0 RDI: > 0000000000000003 > [49392.084978] RBP: 000055baf0d243f0 R08: 0000000000000000 R09: > 00007f4e7ec0c240 > [49392.084979] R10: 0000000000000003 R11: 0000000000000246 R12: > 0000000000000000 > [49392.084980] R13: 000055baf0f15760 R14: 0000000000000000 R15: > 0000000000000000 > [49392.084982] INFO: Object 0x00000000f5717365 @offset=64 > [49392.085960] INFO: Object 0x0000000061773205 @offset=576 > [49392.087007] INFO: Object 0x00000000c1bb7148 @offset=1088 > [49392.088044] INFO: Object 0x0000000039487805 @offset=1600 > [49392.089078] INFO: Object 0x00000000515bdfb8 @offset=2624 > [49392.090097] INFO: Object 0x000000002bd2e6db @offset=5696 > [49392.091105] INFO: Object 0x00000000e6ef7231 @offset=6208 > [49392.092115] INFO: Object 0x000000006338dc7d @offset=7232 > [49392.093116] INFO: Object 0x00000000fa45fa08 @offset=7744 > [49392.094116] > ============================================================================= > [49392.095131] BUG p_ed_pids (Tainted: P B O ): Objects > remaining in p_ed_pids on __kmem_cache_shutdown() > [49392.096176] > ----------------------------------------------------------------------------- > > [49392.098288] INFO: Slab 0x00000000fcfc84c9 objects=16 used=10 > fp=0x00000000c5116a0b flags=0x17ffffc0010200 > [49392.099388] CPU: 0 PID: 4448 Comm: insmod Tainted: P B O > 5.3.0-42-generic #34-Ubuntu > [49392.099389] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant > MicroServer Gen10, BIOS 5.12 06/26/2018 > [49392.099390] Call Trace: > [49392.099392] dump_stack+0x6d/0x9a > [49392.099395] slab_err+0xb7/0xdc > [49392.099397] __kmem_cache_shutdown.cold+0x37/0x123 > [49392.099400] shutdown_cache+0x16/0x160 > [49392.099402] kmem_cache_destroy+0x217/0x230 > [49392.099410] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg] > [49392.099419] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg] > [49392.099428] p_exploit_detection_exit+0x118/0x130 [p_lkrg] > [49392.099437] p_exploit_detection_init+0x514/0x8c0 [p_lkrg] > [49392.099439] ? 0xffffffffc14c0000 > [49392.099446] p_lkrg_register+0x103/0x1000 [p_lkrg] > [49392.099448] ? 0xffffffffc14c0000 > [49392.099450] do_one_initcall+0x4a/0x1fa > [49392.099452] ? kmem_cache_alloc_trace+0x163/0x230 > [49392.099454] do_init_module+0x62/0x250 > [49392.099455] load_module+0x10d4/0x1220 > [49392.099459] __do_sys_finit_module+0xbe/0x120 > [49392.099460] ? __do_sys_finit_module+0xbe/0x120 > [49392.099463] __x64_sys_finit_module+0x1a/0x20 > [49392.099465] do_syscall_64+0x5a/0x130 > [49392.099467] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [49392.099468] RIP: 0033:0x7f4e7eb3994d > [49392.099470] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa > 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48 > [49392.099471] RSP: 002b:00007ffc9f1c90e8 EFLAGS: 00000246 ORIG_RAX: > 0000000000000139 > [49392.099472] RAX: ffffffffffffffda RBX: 000055baf0f15790 RCX: > 00007f4e7eb3994d > [49392.099473] RDX: 0000000000000000 RSI: 000055baf0d243f0 RDI: > 0000000000000003 > [49392.099474] RBP: 000055baf0d243f0 R08: 0000000000000000 R09: > 00007f4e7ec0c240 > [49392.099475] R10: 0000000000000003 R11: 0000000000000246 R12: > 0000000000000000 > [49392.099475] R13: 000055baf0f15760 R14: 0000000000000000 R15: > 0000000000000000 > [49392.099477] INFO: Object 0x0000000005d2db9b @offset=64 > [49392.100579] INFO: Object 0x00000000a2fafc2b @offset=576 > [49392.101675] INFO: Object 0x000000000779c959 @offset=1088 > [49392.102764] INFO: Object 0x00000000cf3906b0 @offset=1600 > [49392.103841] INFO: Object 0x000000000a73b627 @offset=2624 > [49392.104916] INFO: Object 0x00000000d3535c4e @offset=3648 > [49392.105988] INFO: Object 0x0000000024a6a240 @offset=4160 > [49392.107063] INFO: Object 0x0000000009f029b6 @offset=4672 > [49392.108132] INFO: Object 0x0000000049597653 @offset=5696 > [49392.109193] INFO: Object 0x00000000eaf25132 @offset=6208 > [49392.110250] > ============================================================================= > [49392.111319] BUG p_ed_pids (Tainted: P B O ): Objects > remaining in p_ed_pids on __kmem_cache_shutdown() > [49392.112415] > ----------------------------------------------------------------------------- > > [49392.114626] INFO: Slab 0x000000003b1992e2 objects=16 used=3 > fp=0x00000000ad59ad4c flags=0x17ffffc0010200 > [49392.115777] CPU: 0 PID: 4448 Comm: insmod Tainted: P B O > 5.3.0-42-generic #34-Ubuntu > [49392.115777] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant > MicroServer Gen10, BIOS 5.12 06/26/2018 > [49392.115778] Call Trace: > [49392.115781] dump_stack+0x6d/0x9a > [49392.115783] slab_err+0xb7/0xdc > [49392.115785] __kmem_cache_shutdown.cold+0x37/0x123 > [49392.115788] shutdown_cache+0x16/0x160 > [49392.115789] kmem_cache_destroy+0x217/0x230 > [49392.115798] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg] > [49392.115807] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg] > [49392.115817] p_exploit_detection_exit+0x118/0x130 [p_lkrg] > [49392.115826] p_exploit_detection_init+0x514/0x8c0 [p_lkrg] > [49392.115827] ? 0xffffffffc14c0000 > [49392.115835] p_lkrg_register+0x103/0x1000 [p_lkrg] > [49392.115837] ? 0xffffffffc14c0000 > [49392.115839] do_one_initcall+0x4a/0x1fa > [49392.115841] ? kmem_cache_alloc_trace+0x163/0x230 > [49392.115842] do_init_module+0x62/0x250 > [49392.115844] load_module+0x10d4/0x1220 > [49392.115848] __do_sys_finit_module+0xbe/0x120 > [49392.115849] ? __do_sys_finit_module+0xbe/0x120 > [49392.115852] __x64_sys_finit_module+0x1a/0x20 > [49392.115853] do_syscall_64+0x5a/0x130 > [49392.115855] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [49392.115856] RIP: 0033:0x7f4e7eb3994d > [49392.115858] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa > 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48 > [49392.115859] RSP: 002b:00007ffc9f1c90e8 EFLAGS: 00000246 ORIG_RAX: > 0000000000000139 > [49392.115860] RAX: ffffffffffffffda RBX: 000055baf0f15790 RCX: > 00007f4e7eb3994d > [49392.115861] RDX: 0000000000000000 RSI: 000055baf0d243f0 RDI: > 0000000000000003 > [49392.115862] RBP: 000055baf0d243f0 R08: 0000000000000000 R09: > 00007f4e7ec0c240 > [49392.115863] R10: 0000000000000003 R11: 0000000000000246 R12: > 0000000000000000 > [49392.115863] R13: 000055baf0f15760 R14: 0000000000000000 R15: > 0000000000000000 > [49392.115866] INFO: Object 0x000000000b246cb1 @offset=576 > [49392.117015] INFO: Object 0x000000002c77dc6d @offset=6208 > [49392.118157] INFO: Object 0x00000000d54b4cc0 @offset=7232 > [49392.119299] > ============================================================================= > [49392.120465] BUG p_ed_pids (Tainted: P B O ): Objects > remaining in p_ed_pids on __kmem_cache_shutdown() > [49392.121631] > ----------------------------------------------------------------------------- > > [49392.123792] INFO: Slab 0x00000000ba9d25ca objects=16 used=6 > fp=0x0000000063a0b344 flags=0x17ffffc0010200 > [49392.124898] CPU: 0 PID: 4448 Comm: insmod Tainted: P B O > 5.3.0-42-generic #34-Ubuntu > [49392.124899] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant > MicroServer Gen10, BIOS 5.12 06/26/2018 > [49392.124900] Call Trace: > [49392.124902] dump_stack+0x6d/0x9a > [49392.124903] slab_err+0xb7/0xdc > [49392.124906] __kmem_cache_shutdown.cold+0x37/0x123 > [49392.124908] shutdown_cache+0x16/0x160 > [49392.124909] kmem_cache_destroy+0x217/0x230 > [49392.124917] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg] > [49392.124925] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg] > [49392.124933] p_exploit_detection_exit+0x118/0x130 [p_lkrg] > [49392.124941] p_exploit_detection_init+0x514/0x8c0 [p_lkrg] > [49392.124943] ? 0xffffffffc14c0000 > [49392.124950] p_lkrg_register+0x103/0x1000 [p_lkrg] > [49392.124951] ? 0xffffffffc14c0000 > [49392.124952] do_one_initcall+0x4a/0x1fa > [49392.124954] ? kmem_cache_alloc_trace+0x163/0x230 > [49392.124956] do_init_module+0x62/0x250 > [49392.124957] load_module+0x10d4/0x1220 > [49392.124960] __do_sys_finit_module+0xbe/0x120 > [49392.124962] ? __do_sys_finit_module+0xbe/0x120 > [49392.124964] __x64_sys_finit_module+0x1a/0x20 > [49392.124965] do_syscall_64+0x5a/0x130 > [49392.124967] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [49392.124968] RIP: 0033:0x7f4e7eb3994d > [49392.124969] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa > 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48 > [49392.124970] RSP: 002b:00007ffc9f1c90e8 EFLAGS: 00000246 ORIG_RAX: > 0000000000000139 > [49392.124971] RAX: ffffffffffffffda RBX: 000055baf0f15790 RCX: > 00007f4e7eb3994d > [49392.124972] RDX: 0000000000000000 RSI: 000055baf0d243f0 RDI: > 0000000000000003 > [49392.124973] RBP: 000055baf0d243f0 R08: 0000000000000000 R09: > 00007f4e7ec0c240 > [49392.124974] R10: 0000000000000003 R11: 0000000000000246 R12: > 0000000000000000 > [49392.124974] R13: 000055baf0f15760 R14: 0000000000000000 R15: > 0000000000000000 > [49392.124976] INFO: Object 0x0000000058424623 @offset=64 > [49392.126081] INFO: Object 0x0000000072623c3d @offset=1600 > [49392.127182] INFO: Object 0x0000000088a4551d @offset=2624 > [49392.128280] INFO: Object 0x0000000014225fae @offset=4160 > [49392.129376] INFO: Object 0x0000000049762c1d @offset=6720 > [49392.130470] INFO: Object 0x00000000e54b4cea @offset=7744 > [49392.131600] kmem_cache_destroy p_ed_pids: Slab cache still has objects > [49392.132713] CPU: 0 PID: 4448 Comm: insmod Tainted: P B O > 5.3.0-42-generic #34-Ubuntu > [49392.132714] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant > MicroServer Gen10, BIOS 5.12 06/26/2018 > [49392.132714] Call Trace: > [49392.132716] dump_stack+0x6d/0x9a > [49392.132719] kmem_cache_destroy.cold+0x15/0x1a > [49392.132727] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg] > [49392.132734] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg] > [49392.132743] p_exploit_detection_exit+0x118/0x130 [p_lkrg] > [49392.132751] p_exploit_detection_init+0x514/0x8c0 [p_lkrg] > [49392.132752] ? 0xffffffffc14c0000 > [49392.132759] p_lkrg_register+0x103/0x1000 [p_lkrg] > [49392.132760] ? 0xffffffffc14c0000 > [49392.132762] do_one_initcall+0x4a/0x1fa > [49392.132764] ? kmem_cache_alloc_trace+0x163/0x230 > [49392.132765] do_init_module+0x62/0x250 > [49392.132767] load_module+0x10d4/0x1220 > [49392.132770] __do_sys_finit_module+0xbe/0x120 > [49392.132771] ? __do_sys_finit_module+0xbe/0x120 > [49392.132773] __x64_sys_finit_module+0x1a/0x20 > [49392.132775] do_syscall_64+0x5a/0x130 > [49392.132777] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [49392.132778] RIP: 0033:0x7f4e7eb3994d > [49392.132779] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa > 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48 > [49392.132780] RSP: 002b:00007ffc9f1c90e8 EFLAGS: 00000246 ORIG_RAX: > 0000000000000139 > [49392.132781] RAX: ffffffffffffffda RBX: 000055baf0f15790 RCX: > 00007f4e7eb3994d > [49392.132782] RDX: 0000000000000000 RSI: 000055baf0d243f0 RDI: > 0000000000000003 > [49392.132782] RBP: 000055baf0d243f0 R08: 0000000000000000 R09: > 00007f4e7ec0c240 > [49392.132783] R10: 0000000000000003 R11: 0000000000000246 R12: > 0000000000000000 > [49392.132784] R13: 000055baf0f15760 R14: 0000000000000000 R15: > 0000000000000000 > [49392.132786] [p_lkrg] Can't initialize exploit detection features! > Exiting... > [49392.133912] OOM killer enabled. > [49392.133912] Restarting tasks ... done. > [49396.074664] IN IN=ppp0 OUT= MAC= SRC=185.216.140.34 DST=91.135.7.108 > LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=57112 PROTO=TCP SPT=55902 DPT=4560 > WINDOW=1024 RES=0x00 SYN URGP=0 > [49405.805365] IN IN=ppp0 OUT= MAC= SRC=93.174.93.72 DST=91.135.7.108 > LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=17475 PROTO=TCP SPT=56667 DPT=4899 > WINDOW=1024 RES=0x00 SYN URGP=0 > [49409.967566] IN IN=ppp0 OUT= MAC= SRC=185.216.140.34 DST=91.135.7.108 > LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=37250 PROTO=TCP SPT=55902 DPT=5112 > WINDOW=1024 RES=0x00 SYN URGP=0 > [49428.799972] IN IN=ppp0 OUT= MAC= SRC=45.143.220.35 DST=91.135.7.108 > LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=12456 PROTO=TCP SPT=41293 DPT=8379 > WINDOW=1024 RES=0x00 SYN URGP=0 > [49448.338091] FWD IN=ppp0 OUT=ppp0 MAC= > SRC=2408:8221:6414:c010:2021:0da2:f7c2:4d2a > DST=2a02:0390:feed:79ef:65df:287e:876d:d569 LEN=115 TC=0 HOPLIMIT=240 > FLOWLBL=0 PROTO=UDP SPT=52677 DPT=31338 LEN=75 > [49456.402071] FWD IN=ppp0 OUT=enp2s0f1 MAC= > SRC=240e:00f7:4f01:000c:0000:0000:0000:0002 > DST=2a02:0390:79ef:0000:0000:0000:76e5:11df LEN=64 TC=0 HOPLIMIT=240 > FLOWLBL=0 PROTO=TCP SPT=31940 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 > [49456.407549] FWD IN=ppp0 OUT=enp2s0f1 MAC= > SRC=240e:00f7:4f01:000c:0000:0000:0000:0002 > DST=2a02:0390:79ef:0000:0000:0000:9082:b96c LEN=64 TC=0 HOPLIMIT=240 > FLOWLBL=0 PROTO=TCP SPT=20499 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 > [49456.407718] FWD IN=ppp0 OUT=enp2s0f1 MAC= > SRC=240e:00f7:4f01:000c:0000:0000:0000:0002 > DST=2a02:0390:79ef:0000:0000:0000:1d3d:f1de LEN=64 TC=0 HOPLIMIT=240 > FLOWLBL=0 PROTO=TCP SPT=58577 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 > [49456.426058] FWD IN=ppp0 OUT=enp2s0f1 MAC= > SRC=240e:00f7:4f01:000c:0000:0000:0000:0002 > DST=2a02:0390:79ef:0000:0000:0000:9d51:54db LEN=64 TC=0 HOPLIMIT=240 > FLOWLBL=0 PROTO=TCP SPT=17257 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 > [49456.426469] FWD IN=ppp0 OUT=enp2s0f1 MAC= > SRC=240e:00f7:4f01:000c:0000:0000:0000:0002 > DST=2a02:0390:79ef:0000:0000:0000:03a0:49cd LEN=64 TC=0 HOPLIMIT=240 > FLOWLBL=0 PROTO=TCP SPT=50737 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 > [49488.982431] IN IN=ppp0 OUT= MAC= SRC=185.216.140.252 DST=91.135.7.108 > LEN=40 TOS=0x00 PREC=0x00 TTL=253 ID=42385 PROTO=TCP SPT=58118 DPT=55569 > WINDOW=1024 RES=0x00 SYN URGP=0 > [49489.022791] [p_lkrg] Loading LKRG... > [49489.027851] Freezing user space processes ... (elapsed 0.007 seconds) > done. > [49489.035070] OOM killer disabled. > [49489.035073] [p_lkrg] Verifying 21 potential UMH paths for whitelisting... > [49489.035166] [p_lkrg] 4 UMH paths were whitelisted... > [49489.062492] [p_lkrg] [kretprobe] register_kretprobe() for > <__x64_sys_execve> failed! [err=-1] > [49489.063577] [p_lkrg] ERROR: Can't hook execve syscall :( > [49489.070994] > ============================================================================= > [49489.072029] BUG p_ed_pids (Tainted: P B O ): Objects > remaining in p_ed_pids on __kmem_cache_shutdown() > [49489.073062] > ----------------------------------------------------------------------------- > > [49489.075145] INFO: Slab 0x00000000529c1343 objects=16 used=10 > fp=0x000000009be478b7 flags=0x17ffffc0010200 > [49489.076211] CPU: 0 PID: 4542 Comm: insmod Tainted: P B O > 5.3.0-42-generic #34-Ubuntu > [49489.076212] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant > MicroServer Gen10, BIOS 5.12 06/26/2018 > [49489.076213] Call Trace: > [49489.076225] dump_stack+0x6d/0x9a > [49489.076229] slab_err+0xb7/0xdc > [49489.076233] __kmem_cache_shutdown.cold+0x37/0x123 > [49489.076236] shutdown_cache+0x16/0x160 > [49489.076238] kmem_cache_destroy+0x217/0x230 > [49489.076257] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg] > [49489.076265] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg] > [49489.076273] p_exploit_detection_exit+0x118/0x130 [p_lkrg] > [49489.076280] p_exploit_detection_init+0x514/0x8c0 [p_lkrg] > [49489.076282] ? 0xffffffffc14c0000 > [49489.076289] p_lkrg_register+0x103/0x1000 [p_lkrg] > [49489.076290] ? 0xffffffffc14c0000 > [49489.076294] do_one_initcall+0x4a/0x1fa > [49489.076296] ? kmem_cache_alloc_trace+0x163/0x230 > [49489.076299] do_init_module+0x62/0x250 > [49489.076301] load_module+0x10d4/0x1220 > [49489.076304] __do_sys_finit_module+0xbe/0x120 > [49489.076306] ? __do_sys_finit_module+0xbe/0x120 > [49489.076308] __x64_sys_finit_module+0x1a/0x20 > [49489.076310] do_syscall_64+0x5a/0x130 > [49489.076313] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [49489.076314] RIP: 0033:0x7f409b53194d > [49489.076317] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa > 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48 > [49489.076318] RSP: 002b:00007fffd7e2b088 EFLAGS: 00000246 ORIG_RAX: > 0000000000000139 > [49489.076320] RAX: ffffffffffffffda RBX: 0000557d8b06a790 RCX: > 00007f409b53194d > [49489.076321] RDX: 0000000000000000 RSI: 0000557d8a99e3f0 RDI: > 0000000000000003 > [49489.076322] RBP: 0000557d8a99e3f0 R08: 0000000000000000 R09: > 00007f409b604240 > [49489.076322] R10: 0000000000000003 R11: 0000000000000246 R12: > 0000000000000000 > [49489.076323] R13: 0000557d8b06a760 R14: 0000000000000000 R15: > 0000000000000000 > [49489.076325] INFO: Object 0x0000000043a90647 @offset=576 > [49489.077422] INFO: Object 0x00000000d3520399 @offset=1600 > [49489.078466] INFO: Object 0x00000000a53ba283 @offset=2112 > [49489.079504] INFO: Object 0x00000000b2d07bd4 @offset=2624 > [49489.080639] INFO: Object 0x0000000092730c13 @offset=3136 > [49489.081723] INFO: Object 0x0000000094010b23 @offset=4160 > [49489.082795] INFO: Object 0x000000004f783266 @offset=5184 > [49489.083850] INFO: Object 0x00000000ab72696c @offset=5696 > [49489.084885] INFO: Object 0x00000000762af032 @offset=7232 > [49489.085899] INFO: Object 0x0000000029d7795d @offset=7744 > [49489.086904] > ============================================================================= > [49489.087909] BUG p_ed_pids (Tainted: P B O ): Objects > remaining in p_ed_pids on __kmem_cache_shutdown() > [49489.088922] > ----------------------------------------------------------------------------- > > [49489.090981] INFO: Slab 0x000000001e329e61 objects=16 used=1 > fp=0x000000009956a488 flags=0x17ffffc0010200 > [49489.092048] CPU: 0 PID: 4542 Comm: insmod Tainted: P B O > 5.3.0-42-generic #34-Ubuntu > [49489.092049] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant > MicroServer Gen10, BIOS 5.12 06/26/2018 > [49489.092049] Call Trace: > [49489.092052] dump_stack+0x6d/0x9a > [49489.092054] slab_err+0xb7/0xdc > [49489.092056] __kmem_cache_shutdown.cold+0x37/0x123 > [49489.092058] shutdown_cache+0x16/0x160 > [49489.092060] kmem_cache_destroy+0x217/0x230 > [49489.092069] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg] > [49489.092077] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg] > [49489.092085] p_exploit_detection_exit+0x118/0x130 [p_lkrg] > [49489.092093] p_exploit_detection_init+0x514/0x8c0 [p_lkrg] > [49489.092094] ? 0xffffffffc14c0000 > [49489.092102] p_lkrg_register+0x103/0x1000 [p_lkrg] > [49489.092103] ? 0xffffffffc14c0000 > [49489.092104] do_one_initcall+0x4a/0x1fa > [49489.092106] ? kmem_cache_alloc_trace+0x163/0x230 > [49489.092108] do_init_module+0x62/0x250 > [49489.092110] load_module+0x10d4/0x1220 > [49489.092113] __do_sys_finit_module+0xbe/0x120 > [49489.092114] ? __do_sys_finit_module+0xbe/0x120 > [49489.092116] __x64_sys_finit_module+0x1a/0x20 > [49489.092118] do_syscall_64+0x5a/0x130 > [49489.092120] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [49489.092121] RIP: 0033:0x7f409b53194d > [49489.092122] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa > 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48 > [49489.092123] RSP: 002b:00007fffd7e2b088 EFLAGS: 00000246 ORIG_RAX: > 0000000000000139 > [49489.092125] RAX: ffffffffffffffda RBX: 0000557d8b06a790 RCX: > 00007f409b53194d > [49489.092125] RDX: 0000000000000000 RSI: 0000557d8a99e3f0 RDI: > 0000000000000003 > [49489.092126] RBP: 0000557d8a99e3f0 R08: 0000000000000000 R09: > 00007f409b604240 > [49489.092127] R10: 0000000000000003 R11: 0000000000000246 R12: > 0000000000000000 > [49489.092128] R13: 0000557d8b06a760 R14: 0000000000000000 R15: > 0000000000000000 > [49489.092130] INFO: Object 0x00000000decec1c3 @offset=5184 > [49489.093204] > ============================================================================= > [49489.094298] BUG p_ed_pids (Tainted: P B O ): Objects > remaining in p_ed_pids on __kmem_cache_shutdown() > [49489.095419] > ----------------------------------------------------------------------------- > > [49489.097957] INFO: Slab 0x00000000f1949911 objects=16 used=3 > fp=0x000000002ee3a843 flags=0x17ffffc0010200 > [49489.099250] CPU: 0 PID: 4542 Comm: insmod Tainted: P B O > 5.3.0-42-generic #34-Ubuntu > [49489.099251] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant > MicroServer Gen10, BIOS 5.12 06/26/2018 > [49489.099251] Call Trace: > [49489.099254] dump_stack+0x6d/0x9a > [49489.099256] slab_err+0xb7/0xdc > [49489.099259] __kmem_cache_shutdown.cold+0x37/0x123 > [49489.099261] shutdown_cache+0x16/0x160 > [49489.099263] kmem_cache_destroy+0x217/0x230 > [49489.099272] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg] > [49489.099280] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg] > [49489.099289] p_exploit_detection_exit+0x118/0x130 [p_lkrg] > [49489.099298] p_exploit_detection_init+0x514/0x8c0 [p_lkrg] > [49489.099300] ? 0xffffffffc14c0000 > [49489.099308] p_lkrg_register+0x103/0x1000 [p_lkrg] > [49489.099309] ? 0xffffffffc14c0000 > [49489.099311] do_one_initcall+0x4a/0x1fa > [49489.099313] ? kmem_cache_alloc_trace+0x163/0x230 > [49489.099314] do_init_module+0x62/0x250 > [49489.099316] load_module+0x10d4/0x1220 > [49489.099320] __do_sys_finit_module+0xbe/0x120 > [49489.099321] ? __do_sys_finit_module+0xbe/0x120 > [49489.099324] __x64_sys_finit_module+0x1a/0x20 > [49489.099325] do_syscall_64+0x5a/0x130 > [49489.099327] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [49489.099328] RIP: 0033:0x7f409b53194d > [49489.099330] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa > 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48 > [49489.099331] RSP: 002b:00007fffd7e2b088 EFLAGS: 00000246 ORIG_RAX: > 0000000000000139 > [49489.099332] RAX: ffffffffffffffda RBX: 0000557d8b06a790 RCX: > 00007f409b53194d > [49489.099333] RDX: 0000000000000000 RSI: 0000557d8a99e3f0 RDI: > 0000000000000003 > [49489.099334] RBP: 0000557d8a99e3f0 R08: 0000000000000000 R09: > 00007f409b604240 > [49489.099334] R10: 0000000000000003 R11: 0000000000000246 R12: > 0000000000000000 > [49489.099335] R13: 0000557d8b06a760 R14: 0000000000000000 R15: > 0000000000000000 > [49489.099338] INFO: Object 0x000000008cfb70a8 @offset=2112 > [49489.100609] INFO: Object 0x000000003d3c5997 @offset=3648 > [49489.101857] INFO: Object 0x000000006893169e @offset=5184 > [49489.103095] > ============================================================================= > [49489.104332] BUG p_ed_pids (Tainted: P B O ): Objects > remaining in p_ed_pids on __kmem_cache_shutdown() > [49489.105579] > ----------------------------------------------------------------------------- > > [49489.108104] INFO: Slab 0x000000004b6de177 objects=16 used=4 > fp=0x0000000063248568 flags=0x17ffffc0010200 > [49489.109412] CPU: 0 PID: 4542 Comm: insmod Tainted: P B O > 5.3.0-42-generic #34-Ubuntu > [49489.109413] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant > MicroServer Gen10, BIOS 5.12 06/26/2018 > [49489.109414] Call Trace: > [49489.109416] dump_stack+0x6d/0x9a > [49489.109418] slab_err+0xb7/0xdc > [49489.109421] __kmem_cache_shutdown.cold+0x37/0x123 > [49489.109423] shutdown_cache+0x16/0x160 > [49489.109425] kmem_cache_destroy+0x217/0x230 > [49489.109433] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg] > [49489.109442] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg] > [49489.109451] p_exploit_detection_exit+0x118/0x130 [p_lkrg] > [49489.109460] p_exploit_detection_init+0x514/0x8c0 [p_lkrg] > [49489.109461] ? 0xffffffffc14c0000 > [49489.109469] p_lkrg_register+0x103/0x1000 [p_lkrg] > [49489.109470] ? 0xffffffffc14c0000 > [49489.109472] do_one_initcall+0x4a/0x1fa > [49489.109474] ? kmem_cache_alloc_trace+0x163/0x230 > [49489.109476] do_init_module+0x62/0x250 > [49489.109478] load_module+0x10d4/0x1220 > [49489.109481] __do_sys_finit_module+0xbe/0x120 > [49489.109483] ? __do_sys_finit_module+0xbe/0x120 > [49489.109485] __x64_sys_finit_module+0x1a/0x20 > [49489.109487] do_syscall_64+0x5a/0x130 > [49489.109489] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [49489.109490] RIP: 0033:0x7f409b53194d > [49489.109491] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa > 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48 > [49489.109492] RSP: 002b:00007fffd7e2b088 EFLAGS: 00000246 ORIG_RAX: > 0000000000000139 > [49489.109493] RAX: ffffffffffffffda RBX: 0000557d8b06a790 RCX: > 00007f409b53194d > [49489.109494] RDX: 0000000000000000 RSI: 0000557d8a99e3f0 RDI: > 0000000000000003 > [49489.109495] RBP: 0000557d8a99e3f0 R08: 0000000000000000 R09: > 00007f409b604240 > [49489.109496] R10: 0000000000000003 R11: 0000000000000246 R12: > 0000000000000000 > [49489.109497] R13: 0000557d8b06a760 R14: 0000000000000000 R15: > 0000000000000000 > [49489.109499] INFO: Object 0x00000000e01ff641 @offset=64 > [49489.110809] INFO: Object 0x0000000025b87e4d @offset=4672 > [49489.112119] INFO: Object 0x00000000b4f85daf @offset=6208 > [49489.113431] INFO: Object 0x00000000293d92c2 @offset=7232 > [49489.114800] kmem_cache_destroy p_ed_pids: Slab cache still has objects > [49489.116299] CPU: 0 PID: 4542 Comm: insmod Tainted: P B O > 5.3.0-42-generic #34-Ubuntu > [49489.116299] Hardware name: HPE ProLiant MicroServer Gen10/ProLiant > MicroServer Gen10, BIOS 5.12 06/26/2018 > [49489.116300] Call Trace: > [49489.116303] dump_stack+0x6d/0x9a > [49489.116305] kmem_cache_destroy.cold+0x15/0x1a > [49489.116314] ? p_delete_rb_ed_pids+0x5e/0xb0 [p_lkrg] > [49489.116323] p_delete_rb_ed_pids+0x7a/0xb0 [p_lkrg] > [49489.116332] p_exploit_detection_exit+0x118/0x130 [p_lkrg] > [49489.116341] p_exploit_detection_init+0x514/0x8c0 [p_lkrg] > [49489.116342] ? 0xffffffffc14c0000 > [49489.116350] p_lkrg_register+0x103/0x1000 [p_lkrg] > [49489.116351] ? 0xffffffffc14c0000 > [49489.116353] do_one_initcall+0x4a/0x1fa > [49489.116355] ? kmem_cache_alloc_trace+0x163/0x230 > [49489.116357] do_init_module+0x62/0x250 > [49489.116359] load_module+0x10d4/0x1220 > [49489.116362] __do_sys_finit_module+0xbe/0x120 > [49489.116364] ? __do_sys_finit_module+0xbe/0x120 > [49489.116366] __x64_sys_finit_module+0x1a/0x20 > [49489.116368] do_syscall_64+0x5a/0x130 > [49489.116370] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [49489.116371] RIP: 0033:0x7f409b53194d > [49489.116373] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa > 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 13 e5 0c 00 f7 d8 64 89 01 48 > [49489.116374] RSP: 002b:00007fffd7e2b088 EFLAGS: 00000246 ORIG_RAX: > 0000000000000139 > [49489.116375] RAX: ffffffffffffffda RBX: 0000557d8b06a790 RCX: > 00007f409b53194d > [49489.116376] RDX: 0000000000000000 RSI: 0000557d8a99e3f0 RDI: > 0000000000000003 > [49489.116377] RBP: 0000557d8a99e3f0 R08: 0000000000000000 R09: > 00007f409b604240 > [49489.116378] R10: 0000000000000003 R11: 0000000000000246 R12: > 0000000000000000 > [49489.116378] R13: 0000557d8b06a760 R14: 0000000000000000 R15: > 0000000000000000 > [49489.116381] [p_lkrg] Can't initialize exploit detection features! > Exiting... > [49489.117881] OOM killer enabled. > [49489.117882] Restarting tasks ... done. > > -- > Pawe?? Krawczyk > +44 7879 180015 > > > -- pi3 (pi3ki31ny) - pi3 (at) itsec pl http://pi3.com.pl
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.