Results 1 to 25 of 29
Thread: problems at command line
-
03-15-2004, 12:02 PM #1Junior Guru Wannabe
- Join Date
- Nov 2001
- Posts
- 92
problems at command line
I am running cpanel/RHEL and I got a page that my cpu was overloaded. I SSH'd in and tried to run top. However, I got the following error:
[/scripts]# top
top: error while loading shared libraries: libncurses.so.4: cannot open shared object file: No such file or directory
[/scripts]#
Also, when I try to do an ls on a file, I get the following:
[/scripts]# ls a* -l
/bin/ls: unrecognized prefix: do
/bin/ls: unparsable value for LS_COLORS environment variable
-rwx------ 1 root root 3222 Oct 21 01:45 adddns*
-rwx------ 1 root root 3444 Nov 21 2002 addfpmail*
-rwx------ 1 root root 3270 Nov 21 2002 addfpmail2*
-rwx------ 1 root root 231 Apr 29 2002 addnetmaskips*
-rwx------ 1 root root 496 Sep 5 2002 addnobodygrp*
-rwx------ 1 root root 1463 Apr 22 2002 addpop*
-rwx------ 1 root root 1599 May 11 2001 addservlets*
-rwx------ 1 root root 865 Mar 10 2002 addstatus*
-rwx------ 1 root root 164 Nov 8 2002 adduser*
-rwx------ 1 root root 2270 May 11 2001 adduser.old*
-rwx------ 1 root root 315 Jan 23 2002 admin*
-rwx------ 1 root root 10097 May 11 2001 admin.old*
-rw-r--r-- 1 root root 654 Aug 25 2003 anonuser.patch
-rwx------ 1 root root 5720 May 27 2002 antirelayd.shar*
-rwx------ 1 root root 1847 Jun 29 2003 apachelimits*
root@webserve01 [/scripts]#
Any idea what is wrong here???0
-
03-15-2004, 12:06 PM #2Web Hosting Master
- Join Date
- Feb 2002
- Posts
- 985
smells like someone broke into machine and installed rootkit.
regards,
M.Powered by AMD & FreeBSD.
"Documentation is like sex:
when it is good, it is very, very good;
and when it is bad, it is better than nothing."0
-
03-15-2004, 12:09 PM #3Junior Guru Wannabe
- Join Date
- Nov 2001
- Posts
- 92
Can you please expand on that? I have no idea what that means.
0
-
03-15-2004, 12:15 PM #4Web Hosting Evangelist
- Join Date
- Apr 2002
- Posts
- 499
did you set up any aliases in your .bashrc file? It does seem fishy...
/bin/ls: unrecognized prefix: do
/bin/ls: unparsable value for LS_COLORS environment variable
The environment variable thing, and the do command (syggesting a shell scriptite thingy going on) makes me think something is up with your shell...0
-
03-15-2004, 12:19 PM #5Web Hosting Master
- Join Date
- Feb 2002
- Posts
- 985
Originally posted by rrsnider
Can you please expand on that? I have no idea what that means.
anyway, check with chkrootkit
regards,
M.Powered by AMD & FreeBSD.
"Documentation is like sex:
when it is good, it is very, very good;
and when it is bad, it is better than nothing."0
-
03-15-2004, 12:20 PM #6WHT Addict
- Join Date
- Jan 2004
- Posts
- 106
Defintly a root kit.... probably because of the cpanel exploit
do a search... there are a few informative posts from the weekend.
My server is currently having the OS reloaded due to the same issue0
-
03-15-2004, 12:25 PM #7Junior Guru Wannabe
- Join Date
- Nov 2001
- Posts
- 92
How do you run chkrootkit? When I type chkrootkit, I get the following message:
-bash: chkrootkit: command not found0
-
03-15-2004, 12:29 PM #8Web Hosting Guru
- Join Date
- Dec 2002
- Posts
- 265
You can download it and get more information from http://www.chkrootkit.org/
0
-
03-15-2004, 12:30 PM #9Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
You have the t0rn v8 rootkit. Checking it is probably not going to help since it just tells you you are rooted.
From the sounds of it, you seem relatively inexperienced at using SSH. You should probably hire a system admin, or order a reinstall of your OS••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••0
-
03-15-2004, 12:51 PM #10Junior Guru Wannabe
- Join Date
- Dec 2003
- Location
- Mentor, Ohio
- Posts
- 38
i agree with sprintserve, and make sure your system is locked down next time..
Compaq Linux Forums!
http://www.cpqforums.com0
-
03-15-2004, 12:52 PM #11WHT Addict
- Join Date
- Jan 2004
- Posts
- 106
Originally posted by nightwar
i agree with sprintserve, and make sure your system is locked down next time..0
-
03-15-2004, 01:02 PM #12Originally posted by BootsSiR
Unfortunetly, cpanel is mostly to blame for this one
Granted, CPanel screwed up, but in this case, the warning has been out there for a few days and the protective measures to handle it as well. If someone doesn't follow through on those, that's not the fault of the software vendor.
I'd agree with everyone else though, you've most likely been rooted. Run chkrootkit, see if it's been rooted, get backups and have the server formatted and reinstalled.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons0
-
03-15-2004, 01:03 PM #13Junior Guru Wannabe
- Join Date
- Dec 2003
- Location
- Mentor, Ohio
- Posts
- 38
ya, i seen all the info over the weekend.. kinda why i hate control panels! none the less, CP's have taken this business over.. i still do things the old fashioned way without a CP
anyhow.. if an exploit is found, and makes it way around quickly enough, theres not much to prevent this from happening!
good luck!Compaq Linux Forums!
http://www.cpqforums.com0
-
03-15-2004, 01:54 PM #14Web Hosting Master
- Join Date
- May 2001
- Posts
- 1,006
You have to check your systen whether chkrootkit is installed(Use locate chkrootkit) and if there's nothing, then it was not installed and you have to see Westech's post and the url to download and install it.
After you have done the install, cd to the directory which is usually in /usr/local/src/chkrootkit-0.43/ then issue the command ./chkrootkit and it will detect your system's affected(infected) system/files.
Good luckWHO AM I? CLICK HERE!0
-
03-15-2004, 02:14 PM #15Junior Guru Wannabe
- Join Date
- Nov 2001
- Posts
- 92
I ran chkrootkit and here is what is infected:
Checking `ifconfig'... INFECTED
Checking `login'... INFECTED
Checking `pstree'... INFECTED
Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 3 process hidden for ps command
Warning: Possible LKM Trojan installed
Is there anyway to fix the problem(s) without a restore? I saw some posts on this but there does not seem to be a consensus on whether to restore or repair.0
-
03-15-2004, 02:15 PM #16WHT Addict
- Join Date
- Nov 2002
- Posts
- 161
No, cpanel's not to blame, the ones to blame are the individuals that don't secure their server.
Granted, CPanel screwed up, but in this case, the warning has been out there for a few days and the protective measures to handle it as well. If someone doesn't follow through on those, that's not the fault of the software vendor.
I'd agree with everyone else though, you've most likely been rooted. Run chkrootkit, see if it's been rooted, get backups and have the server formatted and reinstalled.0
-
03-15-2004, 02:21 PM #17Originally posted by rrsnider
Is there anyway to fix the problem(s) without a restore? I saw some posts on this but there does not seem to be a consensus on whether to restore or repair.
The best route to take:
A> Have a new system setup (or have this one tossed and formatted).
B> Have your users change their passwords (this is CRITICAL, because once in, the user can run software to detect their password, and I'd bet anything that just a few of them had dictionary passwords).
C> Restore accounts .Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons0
-
03-15-2004, 02:57 PM #18Junior Guru Wannabe
- Join Date
- Nov 2001
- Posts
- 92
What exactly is t0rn v8 going to allow my hacker to do to my server?
0
-
03-15-2004, 03:20 PM #19
Well, you've got a lot more than t0rn in there, though that's just the start of things. Your basic system binaries have been corrupted (look at the output from chkrootkit and you'll see which ones).
In short:
This user (whoever they are) has complete access to your server by now. It's very safe to assume this, because they've already modified login and installed their own kits on your server. There's nothing they CAN'T do beyond this point.
Now, most of these are kiddies, running a binary, that's it, not knowing what they're doing past some shell script or binary, but that's most definitely not a chance worth taking here.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons0
-
03-15-2004, 03:20 PM #20Junior Guru Wannabe
- Join Date
- Feb 2004
- Posts
- 82
Basically it gives the hacker root (ie the highest possible level) access to your server so that he/she can do anything they want.
The most commonly occuring two things (I think) are the following:
Using your server to participate in a dDOS (Distributed Denial of Service), ie flooding a remote person with loads of traffic, using up your bandwidth
Using your server to send spam email through, causing your ip addresses to get blacklisted and your server to slow down horribly under the tide of email processes (the fact you said your server was overloaded indicates this might already be going on).
So ultimately, however annoying it is and however much of a hassle it is you HAVE TO reformat the server and start again (after taking the relevant backups of peoples sites of course). I would also suggest that once you have got your server back up you get someone to properly secure your server for you (I think there are a few people who post on WHT that do it).0
-
03-15-2004, 03:27 PM #21Junior Guru Wannabe
- Join Date
- Nov 2001
- Posts
- 92
How can I check if they are sending spam from my server?
0
-
03-15-2004, 03:32 PM #22Junior Guru Wannabe
- Join Date
- Feb 2004
- Posts
- 82
Unfortunately you can't check very easily as the entire point of the rootkit is that it replaces all the commands that would show you the processes sending the spam with ones that will deliberately not show you, therefore you almost certainly will not be able to see what they are doing.
However, in this case it appears the rootkit is incompatible with certain libraries on your system which is why the commands are failing.
The only sure fire way (I think) to know if somebody is sending spam from your server now is to stick the machine on a hub (NOT a switch) with another machine running a packet sniffer and see what is going in/out from it.
However, as you might not have physical access another option is to try searching for your IP on block lists (which list sources identified as sending spam), however, your IP may not have yet been added to these lists even if it is sending out spam so this isn't that good an option.0
-
03-15-2004, 03:40 PM #23WHT Addict
- Join Date
- Apr 2002
- Location
- Philly Pa
- Posts
- 130
What does it do for the script kiddie? It gives him/her your machine to do as he/she wishes to do with it.
Even though i hate cpanel, and cant stand what it does for us hard working admins. I have to admit its not 100% their fault. the bugs were released before the coder was notified. This is against ethics. There is standards to releasing bugs.
1. Notify Programmer.
Alert programmer your giving him so so time to release a patch before you release the advistory.
2. release the notification and include the fix.
This clown just started post all over. Servers were getting hijacked before the fixes were even released. Hell, servers were getting hijacked before the programmer even knew.
But it is everyones right to secure their own machines. You install 3rd party programs to make your life easier, your asking for it.
Dont be lazy. Be old fasion and secure. If you dont know much about unix/linux and want to start a hosting company, please hire a fulltime admin. Your making the life of real administrators a pain in the rear.
1. I'm tired of my machines getting port scaned by hijacked machines.
2. I'm tired of spam from hijacked servers.
Any other admins want to add to this list?
3. ????0
-
03-15-2004, 03:43 PM #24Junior Guru Wannabe
- Join Date
- Nov 2001
- Posts
- 92
I've heard enough. I am going to start the restore process ASAP. I have daily/weekly backups of my sites (using Cpanel backup) and I will restore the sites from last week (prior to rootkit). Here are my questions:
1) Anything I should take a backup of before I do the restore?
2) Anything special I need to do to restore the sites? I use the cpanel backup method to a SAMBA drive.
3) Any directories I should avoid restoring?
4) I saw that I should change all passwords. Any other advice?
Thanks.0
-
03-15-2004, 03:46 PM #25WHT Addict
- Join Date
- Apr 2002
- Location
- Philly Pa
- Posts
- 130
you want to get rid of it all. dont save anything.
0