Results 1 to 10 of 10
  1. #1
    Join Date
    Aug 2009
    Posts
    33

    Urgent Linux Command Help : xargs: cat: terminated by signal 13

    [[email protected] vhosts]# find ./ -name access_log | xargs cat |grep 74.53.96.178
    xargs: cat: terminated by signal 13
    Segmentation fault
    [[email protected] vhosts]#

    The abuser IP is 74.53.96.178 but my command is giving following error:
    xargs: cat: terminated by signal 13
    Segmentation fault

    Please advise me the right command to by pass this error so that I can fix this issue by closing that account.

    I am finding the IP in access_logs, this file is located in each domain under /var/www/vhosts. This IP is a abuser IP who is inlcuding the script, I need to find and suspend that account. Please help urgently

  2. #2
    Join Date
    May 2009
    Location
    L'viv Ukraine
    Posts
    21
    find /var/www/vhosts -name access_log -exec grep 74.53.96.178 {} \;

    but it seems you have no chance to catch it this was - system seems to be poisoned.

  3. #3
    Join Date
    Aug 2009
    Posts
    33
    [[email protected]]# find /var/www/vhosts -name access_log -exec grep 74.53.96.178 {} \;
    find: grep terminated by signal 11
    find: grep terminated by signal 11
    find: grep terminated by signal 11
    find: grep terminated by signal 11
    find: grep terminated by signal 11
    find: grep terminated by signal 11
    find: grep terminated by signal 11
    find: grep terminated by signal 11
    find: grep terminated by signal 11
    find: grep terminated by signal 11
    find: grep terminated by signal 11
    find: grep terminated by signal 11
    find: grep terminated by signal 11

    Exactly, what should I do now?

  4. #4
    Join Date
    May 2009
    Location
    L'viv Ukraine
    Posts
    21
    Check logs, check your system by chkrootkit, check RPMS by rpm -V (if its RH based OS). What dmesg says to you? whats in /var/log/messages?

  5. #5
    Join Date
    Aug 2009
    Posts
    33
    Server is being used for top access other servers, out /tmp is clean no such malcious scrips. THEPLANET just opened an abuse ticket for us. Please help


    suspecious logs are here:

    Sep 21 13:51:59 myserver sshd[29574]: password authentication failed. Login to account root2 not allowed or account non-existe$
    Sep 21 13:52:00 myserver sshd[29590]: password authentication failed. Login to account root2 not allowed or account non-existe$
    Sep 21 13:52:00 myserver sshd[29603]: password authentication failed. Login to account root2 not allowed or account non-existe$
    Sep 21 13:52:00 myserver sshd[29623]: password authentication failed. Login to account admin not allowed or account non-existe$
    Sep 21 13:52:00 myserver sshd[29633]: password authentication failed. Login to account andre not allowed or account non-existe$
    Sep 21 13:52:01 myserver sshd[29650]: password authentication failed. Login to account root2 not allowed or account non-existe$
    Sep 21 13:52:01 myserver sshd[29657]: password authentication failed. Login to account admin not allowed or account non-existe$
    Sep 21 13:52:01 myserver sshd[29674]: password authentication failed. Login to account root2 not allowed or account non-existe$
    Sep 21 13:52:01 myserver sshd[29687]: password authentication failed. Login to account root2 not allowed or account non-existe$
    Sep 21 13:52:01 myserver sshd[29695]: password authentication failed. Login to account nuno not allowed or account non-existen$
    Sep 21 13:52:01 myserver xinetd[2776]: EXIT: smtp status=1 pid=29558 duration=3(sec)
    Sep 21 13:52:02 myserver sshd[29717]: password authentication failed. Login to account admin not allowed or account non-existe$
    Sep 21 13:52:02 myserver sshd[29734]: password authentication failed. Login to account root2 not allowed or account non-existe$
    Sep 21 13:52:02 myserver sshd[29742]: password authentication failed. Login to account admin not allowed or account non-existe$
    Sep 21 13:52:02 myserver sshd[29761]: password authentication failed. Login to account admin not allowed or account non-existe$
    Sep 21 13:52:02 myserver sshd[29765]: password authentication failed. Login to account andre not allowed or account non-existe$
    Sep 21 13:52:02 myserver sshd[29769]: password authentication failed. Login to account root2 not allowed or account non-existe$
    Sep 21 13:52:02 myserver sshd[29774]: password authentication failed. Login to account admin not allowed or account non-existe$
    Sep 21 13:52:03 myserver sshd[29796]: password authentication failed. Login to account nuno not allowed or account non-existen$
    Sep 21 13:52:03 myserver sshd[29797]: password authentication failed. Login to account root2 not allowed or account non-existe$
    Sep 21 13:52:03 myserver sshd[29801]: password authentication failed. Login to account root2 not allowed or account non-existe$
    Sep 21 13:52:03 myserver sshd[29807]: password authentication failed. Login to account admin not allowed or account non-existe$
    Sep 21 13:52:03 myserver sshd[29829]: password authentication failed. Login to account admin not allowed or account non-existe$
    Sep 21 13:52:03 myserver sshd[29832]: password authentication failed. Login to account admin not allowed or account non-existe$
    Sep 21 13:52:03 myserver sshd[29839]: password authentication failed. Login to account root2 not allowed or account non-existe$
    Sep 21 13:52:04 myserver sshd[29854]: password authentication failed. Login to account luz not allowed or account non-existent.
    Sep 21 13:52:04 myserver sshd[29866]: password authentication failed. Login to account admin not allowed or account non-existe$
    Sep 21 13:52:04 myserver sshd[29867]: password authentication failed. Login to account admin not allowed or account non-existe$
    Sep 21 13:52:04 myserver sshd[29872]: password authentication failed. Login to account andre not allowed or account non-existe$
    Sep 21 13:52:04 myserver xinetd[2776]: EXIT: smtp status=1 pid=29119 duration=13(sec)
    Sep 21 13:52:04 myserver sshd[29887]: password authentication failed. Login to account admin not allowed or account non-existe$
    Sep 21 13:52:04 myserver sshd[29893]: password authentication failed. Login to account admin not allowed or account non-existe$
    Sep 21 13:52:04 myserver sshd[29894]: password authentication failed. Login to account nuno not allowed or account non-existen$
    Sep 21 13:52:05 myserver sshd[29905]: password authentication failed. Login to account root2 not allowed or account non-existe$
    Sep 21 13:52:05 myserver sshd[29919]: password authentication failed. Login to account admin not allowed or account non-existe$
    Sep 21 13:52:05 myserver sshd[29923]: password authentication failed. Login to account luz not allowed or account non-existent.
    Sep 21 11:09:35 myserver sshd[12489]: password authentication failed. Login to account test not allowed or account non-existen$
    Sep 21 11:09:35 myserver xinetd[2776]: EXIT: smtp status=1 pid=12041 duration=11(sec)
    Sep 21 11:09:35 myserver sshd[12506]: password authentication failed. Login to account test not allowed or account non-existen$
    Sep 21 11:09:35 myserver sshd[12519]: password authentication failed. Login to account test1 not allowed or account non-existe$
    Sep 21 11:09:35 myserver sshd[12520]: password authentication failed. Login to account test not allowed or account non-existen$
    Sep 21 11:09:35 myserver sshd[12524]: password authentication failed. Login to account test not allowed or account non-existen$
    Sep 21 11:09:35 myserver sshd[12526]: password authentication failed. Login to account test1 not allowed or account non-existe$
    Sep 21 11:09:36 myserver sshd[12547]: connection from "174.36.251.82"
    Sep 21 11:09:36 myserver sshd[12547]: Wrong password given for user 'ftp'.
    Sep 21 11:09:36 myserver sshd[12549]: password authentication failed. Login to account test1 not allowed or account non-existe$
    Sep 21 11:09:36 myserver sshd[12565]: password authentication failed. Login to account test1 not allowed or account non-existe$
    Sep 21 11:09:36 myserver sshd[12566]: connection from "174.36.251.82"
    Sep 21 11:09:36 myserver sshd[12566]: Wrong password given for user 'ftp'.
    Sep 21 11:09:36 myserver sshd[12601]: password authentication failed. Login to account oracle not allowed or account non-exist$
    Sep 21 11:09:36 myserver sshd[12603]: connection from "174.36.251.82"
    Sep 21 11:09:36 myserver sshd[12603]: Wrong password given for user 'ftp'.
    Sep 21 11:09:36 myserver sshd[12607]: connection from "174.36.251.82"
    Sep 21 11:09:36 myserver sshd[12607]: Wrong password given for user 'ftp'.
    Sep 21 11:09:37 myserver sshd[12606]: password authentication failed. Login to account oracle not allowed or account non-exist$
    Sep 21 11:09:37 myserver sshd[12624]: password authentication failed. Login to account nagios not allowed or account non-exist$
    Sep 21 11:09:37 myserver sshd[12630]: password authentication failed. Login to account oracle not allowed or account non-exist$
    Sep 21 11:09:37 myserver sshd[12632]: password authentication failed. Login to account oracle not allowed or account non-exist$
    Sep 21 11:09:37 myserver sshd[12636]: password authentication failed. Login to account nagios not allowed or account non-exist$
    Sep 21 11:09:37 myserver sshd[12646]: connection from "174.36.251.82"
    Sep 21 11:09:37 myserver sshd[12646]: Wrong password given for user 'root'.

    Sep 21 11:09:38 myserver sshd[12656]: Wrong password given for user 'root'.
    Sep 21 11:09:38 myserver sshd[12665]: connection from "174.36.251.82"
    Sep 21 11:09:38 myserver sshd[12665]: Wrong password given for user 'root'.
    Sep 21 11:09:38 myserver sshd[12675]: connection from "174.36.251.82"
    Sep 21 11:09:38 myserver sshd[12675]: Wrong password given for user 'root'.
    Sep 21 11:09:38 myserver sshd[12678]: connection from "174.36.251.82"
    Sep 21 11:09:38 myserver sshd[12678]: Wrong password given for user 'root'.
    Sep 21 11:09:38 myserver sshd[12680]: connection from "174.36.251.82"
    Sep 21 11:09:38 myserver sshd[12680]: Wrong password given for user 'root'.
    Sep 21 11:09:38 myserver sshd[12707]: connection from "174.36.251.82"
    Sep 21 11:09:38 myserver sshd[12707]: Wrong password given for user 'root'.
    Sep 21 11:09:39 myserver sshd[12737]: connection from "174.36.251.82"
    Sep 21 11:09:39 myserver sshd[12737]: Wrong password given for user 'root'.
    Sep 21 11:09:39 myserver sshd[12738]: connection from "174.36.251.82"
    Sep 21 11:09:39 myserver sshd[12738]: Wrong password given for user 'root'.
    Sep 21 11:09:39 myserver sshd[12743]: connection from "174.36.251.82"
    Sep 21 11:09:39 myserver sshd[12743]: Wrong password given for user 'root'.
    Sep 21 11:09:39 myserver sshd[12771]: connection from "174.36.251.82"
    Sep 21 11:09:39 myserver sshd[12771]: Wrong password given for user 'root'.
    Sep 21 11:09:39 myserver sshd[12793]: connection from "174.36.251.82"
    Sep 21 11:09:39 myserver sshd[12793]: Wrong password given for user 'root'.
    Sep 21 11:09:39 myserver sshd[12798]: connection from "174.36.251.82"
    Sep 21 11:09:39 myserver sshd[12798]: Wrong password given for user 'root'.
    Sep 21 11:09:39 myserver sshd[12799]: connection from "174.36.251.82"
    Sep 21 11:09:39 myserver sshd[12799]: Wrong password given for user 'root'.
    Sep 21 11:09:40 myserver sshd[12808]: connection from "174.36.251.82"
    Sep 21 11:09:40 myserver sshd[12808]: Wrong password given for user 'root'.
    Sep 21 11:09:40 myserver sshd[12810]: connection from "174.36.251.82"
    Sep 21 11:09:40 myserver sshd[12810]: Wrong password given for user 'root'.
    Sep 21 11:09:40 myserver sshd[12811]: connection from "174.36.251.82"
    Sep 21 11:09:40 myserver sshd[12811]: Wrong password given for user 'root'.
    Sep 21 11:09:40 myserver sshd[12812]: connection from "174.36.251.82"
    Sep 21 11:09:40 myserver sshd[12812]: Wrong password given for user 'root'.
    Sep 21 11:09:40 myserver sshd[12819]: connection from "174.36.251.82"
    Sep 21 11:19:44 myserver sshd[12983]: LoginGraceTime exceeded.
    Sep 21 11:19:45 myserver sshd[13003]: LoginGraceTime exceeded.
    Sep 21 11:19:45 myserver sshd[13011]: LoginGraceTime exceeded.
    Sep 21 11:19:45 myserver sshd[13014]: LoginGraceTime exceeded.
    Sep 21 11:19:45 myserver sshd[13033]: LoginGraceTime exceeded.
    Sep 21 11:19:45 myserver sshd[13049]: LoginGraceTime exceeded.
    Sep 21 11:19:45 myserver sshd[13055]: LoginGraceTime exceeded.
    Sep 21 11:19:45 myserver sshd[13056]: LoginGraceTime exceeded.
    Sep 21 11:19:45 myserver sshd[13061]: LoginGraceTime exceeded.
    Sep 21 11:19:46 myserver sshd[13062]: LoginGraceTime exceeded.
    Sep 21 11:19:46 myserver sshd[13063]: LoginGraceTime exceeded.
    Sep 21 11:19:46 myserver sshd[13064]: LoginGraceTime exceeded.
    Sep 21 11:19:46 myserver sshd[13065]: LoginGraceTime exceeded.
    Sep 21 11:19:46 myserver sshd[13068]: LoginGraceTime exceeded.
    Sep 21 11:19:46 myserver sshd[13069]: LoginGraceTime exceeded.
    Sep 21 11:19:46 myserver sshd[13070]: LoginGraceTime exceeded.
    Sep 21 11:19:47 myserver sshd[13084]: LoginGraceTime exceeded.
    Sep 21 11:19:47 myserver sshd[13093]: LoginGraceTime exceeded.
    Sep 21 11:19:47 myserver sshd[13094]: LoginGraceTime exceeded.
    Sep 21 11:19:47 myserver sshd[13095]: LoginGraceTime exceeded.
    Sep 21 11:19:47 myserver sshd[13096]: LoginGraceTime exceeded.
    Sep 21 11:19:47 myserver sshd[13097]: LoginGraceTime exceeded.
    Sep 21 11:19:47 myserver sshd[13098]: LoginGraceTime exceeded.
    Sep 21 11:19:47 myserver sshd[13101]: LoginGraceTime exceeded.
    Sep 21 11:19:48 myserver sshd[13102]: LoginGraceTime exceeded.
    Sep 21 11:19:48 myserver sshd[13103]: LoginGraceTime exceeded.
    Sep 21 11:19:48 myserver sshd[13104]: LoginGraceTime exceeded.
    Sep 21 13:55:14 myserver sshd[6974]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:15 myserver sshd[6990]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:15 myserver sshd[6993]: password authentication failed. Login to account cisc@ not allowed or account non-existen$
    Sep 21 13:55:15 myserver sshd[6997]: password authentication failed. Login to account aleon not allowed or account non-existen$
    Sep 21 13:55:15 myserver sshd[7011]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:15 myserver sshd[7015]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:16 myserver sshd[7023]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:16 myserver sshd[7034]: password authentication failed. Login to account iaht not allowed or account non-existent.
    Sep 21 13:55:16 myserver sshd[7038]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:16 myserver sshd[7043]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:17 myserver sshd[7060]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:17 myserver sshd[7059]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:17 myserver sshd[7064]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:17 myserver sshd[7073]: Local disconnected: User name contains illegal characters. (user '(null)', client address$
    Sep 21 13:55:17 myserver sshd[7073]: illegal user name : 'User name contains illegal characters. (user '(null)', client addres$
    Sep 21 13:55:17 myserver sshd[7074]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:17 myserver sshd[7079]: password authentication failed. Login to account boxer not allowed or account non-existen$
    Sep 21 13:55:18 myserver sshd[7093]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:18 myserver sshd[7095]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:18 myserver sshd[7104]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:18 myserver sshd[7114]: connection from "69.16.216.76"
    Sep 21 13:55:18 myserver sshd[7114]: Wrong password given for user 'tomcat'.
    Sep 21 13:55:18 myserver sshd[6913]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:18 myserver sshd[7116]: password authentication failed. Login to account ianh not allowed or account non-existent.
    Sep 21 13:55:18 myserver sshd[7125]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:19 myserver sshd[7132]: connection from "69.16.216.76"
    Sep 21 13:55:19 myserver sshd[7132]: Wrong password given for user 'tomcat'.
    Sep 21 13:55:19 myserver sshd[7133]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:19 myserver sshd[7135]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:19 myserver sshd[7139]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:19 myserver sshd[7146]: password authentication failed. Login to account support not allowed or account non-exist$
    Sep 21 13:55:19 myserver sshd[7147]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:19 myserver sshd[7149]: password authentication failed. Login to account admin not allowed or account non-existen$
    Sep 21 13:55:20 myserver sshd[7157]: password authentication failed. Login to account intraweb not allowed or account non-exis$
    Sep 21 13:57:07 myserver sshd[11834]: password authentication failed. Login to account suva not allowed or account non-existen$
    Sep 21 13:57:07 myserver sshd[11837]: password authentication failed. Login to account kay not allowed or account non-existent.
    Sep 21 13:57:07 myserver sshd[11846]: password authentication failed. Login to account eric not allowed or account non-existen$
    Sep 21 13:57:07 myserver sshd[11855]: password authentication failed. Login to account user not allowed or account non-existen$
    Sep 21 13:57:08 myserver sshd[11858]: password authentication failed. Login to account suvlet not allowed or account non-exist$
    Sep 21 13:57:08 myserver sshd[11866]: password authentication failed. Login to account user not allowed or account non-existen$
    Sep 21 13:57:08 myserver sshd[11867]: password authentication failed. Login to account kay not allowed or account non-existent.
    Sep 21 13:57:08 myserver sshd[11872]: password authentication failed. Login to account test not allowed or account non-existen$
    Sep 21 13:57:08 myserver sshd[11875]: password authentication failed. Login to account menu not allowed or account non-existen$
    Sep 21 13:57:08 myserver sshd[11877]: password authentication failed. Login to account kay not allowed or account non-existent.
    Sep 21 13:57:08 myserver sshd[11880]: password authentication failed. Login to account eric not allowed or account non-existen$
    Sep 21 13:57:09 myserver sshd[11884]: password authentication failed. Login to account test not allowed or account non-existen$

  6. #6
    Join Date
    Aug 2009
    Posts
    33
    [[email protected] ~]# rpm -V
    rpmv: no arguments given for verify

  7. #7
    Join Date
    Aug 2009
    Posts
    33
    any advise?

  8. #8
    Join Date
    May 2009
    Location
    L'viv Ukraine
    Posts
    21
    :-)
    do at least do

    rpm -V `rpm -qa | grep grep`

    to check if grep rpm is OK.
    As authentication failed -it was just bruteforce attack - common thing in the net. Any authentication successful messages? whats

    dmesg

    command says to you?

  9. #9
    Join Date
    Jun 2008
    Location
    India
    Posts
    129
    you can use following commands.
    grep -irl 74.53.96.178 /var/www/vhosts/ this command will list only the file name which contact the ip address

    or else

    for i in /var/www/vhosts/*; do grep 74.53.96.178 $i;done

  10. #10
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Definitely sounds compromised from the grep segmentation fault.. Its a common binary to be back door.

    You also said that the server is attacking other servers. You need completely go through this server. I bet you are running a vulnerable kernel.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Similar Threads

  1. [Urgent Help] Need SSH Command ( Sql Backup)
    By invisioni in forum Hosting Security and Technology
    Replies: 23
    Last Post: 05-14-2007, 09:48 PM
  2. terminated by signal 11 (Segmentation fault)[mail]
    By EddieFudd in forum Hosting Security and Technology
    Replies: 6
    Last Post: 02-05-2006, 10:29 PM
  3. URGENT FreeBSD Command Help
    By NOCTroll in forum Dedicated Server
    Replies: 8
    Last Post: 12-25-2004, 06:40 PM
  4. Linux command/script to run a command for every file in a directory tree?
    By civ in forum Hosting Security and Technology
    Replies: 5
    Last Post: 01-25-2004, 08:48 PM
  5. tar command help urgent
    By mpkapadia in forum Web Hosting Lounge
    Replies: 3
    Last Post: 08-15-2001, 02:27 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •