# Unknown HZ value!

## Vieri

I'm supposing this may be a kernel issue...

A relatively old gentoo server has been running smoothly for a long time without any package updates (no emerges).

The kernel hasn't changed, ever.

However, on Monday this week I started seeing for the first time the following message:

```
Unknown HZ value! (94) Assume 100.
```

It shows up as the first line of output whenever I run programs such as "ps" and "top". It's annoying me a little because I use "ps" in my cron scripts and I get notified by e-mail quite often. I try to redirect the output with "2>&1" but it doesn't seem to work with that line.

I rebooted the machine and still the same behavior.

Any idea of what may be the problem?

```

# emerge --info

Portage 2.1.6.13 (hardened/linux/x86, gcc-3.4.6, glibc-2.5-r4, 2.6.20-hardened-r5 i686)

=================================================================

System uname: Linux-2.6.20-hardened-r5-i686-Pentium_II_-Deschutes-with-glibc2.3.2

Timestamp of tree: Wed, 22 Dec 2010 08:00:01 +0000

app-shells/bash:     3.2_p17

dev-lang/python:     2.4.4-r4, 2.5.4-r2

sys-apps/baselayout: 1.12.9-r2

sys-apps/sandbox:    2.4

sys-devel/autoconf:  2.13, 2.65-r1

sys-devel/automake:  1.6.3, 1.7.9-r1, 1.9.6-r2, 1.10, 1.11.1

sys-devel/binutils:  2.17

sys-devel/gcc:       3.4.6-r2

sys-devel/gcc-config: 1.3.16

sys-devel/libtool:   1.5.23b

sys-devel/make:      3.81

virtual/os-headers:  2.6.21

ACCEPT_KEYWORDS="x86"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-march=i686 -mtune=pentium3 -O2 -pipe -fforce-addr"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/lib/fax /var/spool/fax/etc"

CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-march=i686 -mtune=pentium3 -O2 -pipe -fforce-addr"

DISTDIR="/usr/portage/distfiles"

FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"

GENTOO_MIRRORS="http://mirror.ovh.net/gentoo-distfiles/"

LANG="es_ES.UTF-8@euro"

LC_ALL=""

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

LINGUAS="es"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY="/usr/local/portage/layman/webapps-experimental /usr/local/portage/layman/sunrise /usr/local/portage"

SYNC="rsync://inf-bl07/gentoo-portage"

USE="7zip acl apache2 berkdb bzip2 cli cracklib crypt ctype cups curl cxx dri extensions ftp gd gdbm gpm hardened iconv jbig jpeg jpeg2k kerberos ldap mmx mmxext modules mudflap mysql ncurses nls nptl nptlonly openmp pam pcre perl php pic png ppds pppd python readline samba session sockets sse sse2 ssl sysfs tcpd tiff tokenizer unicode urandom winbind x86 xattr xml xorg zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1      emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m       maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="es" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 intel     mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage      siliconmotion sis sisusb tdfx tga trident tseng v4l vesa via vmware     voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

```

Thanks,

Vieri

----------

## Jaglover

 *Quote:*   

> A relatively old gentoo server has been running smoothly for a long time without any package updates (no emerges). 

 

No updates like no security updates? That's what Google gave ... http://www.bigismore.com/web-server-security/unknown-hz-value-assume-100-youve-been-hacked/

----------

## Vieri

I already saw that page but I also found other pages not stating that it's a security threat, at all.

They refer to a kernel bug instead of a rootkit but I'm not sure about it.

----------

## Ant P.

The very first thing you should be doing before deciding your box a year behind on security patches hasn't been rooted is checking the md5sum of /usr/bin/top against /var/db/pkg/sys-process/procps-*/CONTENTS.

----------

## Hu

The next thing is to check that md5sum against an archived (known good) copy of CONTENTS, then reboot the machine to a LiveCD and check the md5sum of the hard drive /usr/bin/top as computed by the LiveCD against the md5sum reported when you were running from the hard drive.  If all that checks out, then start the same procedure against other files that are popular to replace.

----------

## Vieri

Thanks to both of you.

md5sums don't match:

```

# grep "/usr/bin/top" /var/db/pkg/sys-process/procps-3.2.7/CONTENTS

obj /usr/bin/top 97c2585cbbe237861d6e0012d7af4a51 1185525919

# md5sum /usr/bin/top

fd319aa8e6f56a32c0cb8fc6e9a69195  /usr/bin/top

```

What are my best options for now?

I can't reinstall a fresh system or upgrade this old one, at least not within the next month.

Can I just re-emerge ps and top (supposing I still have the packages in distfiles)?

How can I "make sure" that the system is "safe".

Should I md5sum every single binary on the host (could take ages)?

Booting a livecd to scan the system is not yet something I can physically do.

Is there a way to find the "root cause" of what appears to be a corruption/infection (I'm running rkhunter now)?

Thanks

Vieri

----------

## Vieri

From rkhunter:

```

System checks summary

=====================

File properties checks...

    Required commands check failed

    Files checked: 157

    Suspect files: 12

Rootkit checks...

    Rootkits checked : 251

    Possible rootkits: 4

    Rootkit names    : cb Rootkit, SHV4 Rootkit, SHV5 Rootkit, Xzibit Rootkit

Applications checks...

    Applications checked: 4

    Suspect applications: 2

```

Wonderful... the beauty of being hacked.

Removing all the rootkits is probably more work than reinstalling from scratch.

(eg. just for SHV5: http://www.kentoyer.com/2009/12/21/removing-the-shv5-rootkit/)

I'm wondering though how the machine got infected in the first place.

----------

## Hu

I think that rkhunter is just listing rootkits known to cause these symptoms.  It is not saying that all of them are present.  However, since at least one appears to be present, I would shutdown -h now that system immediately and leave it off until you can wipe it and reinstall.  If it has been compromised to the point that someone installed a rootkit, there is a good chance it is being actively used for malicious purposes as well.

With regard to how they got in, there are many possibilities.  Your Portage tree is over a year old, so we know you are at least that far behind on patches.  I see references to PHP in your CONFIG_PROTECT_MASK, so I suspect you have an old version of PHP installed.  PHP is widely recognized for its negative contributions to system security, especially since there are some fairly popular PHP-based web applications that have had serious security problems.

----------

