topic Re: Weird behaviour for root user in Operating System - Linux

Weird behaviour for root user

Jeff Ohlhausen — Wed, 11 May 2005 14:38:12 GMT

Hello,
I am running a red hat server. Up until recently it has been functioning perfectly. However, now when I log in as the root user (via sudo) I have about a minute to execute commands then it logs out to the user I was.

After it logs me out then I can't type anything. Well - I can type but it only takes one letter and then says 'command not found' (not suprisingly). Anybody have any idea what is going on and how I might fix it?
Thanks
Jeff

Re: Weird behaviour for root user

Steven E. Protter — Wed, 11 May 2005 14:43:22 GMT

Check the PATH variable.

Also run checkrootkit because your box may have been hacked.

Its also possible that the /usr filesystem is not mounted and a lot of commands are missing.

SEP

Re: Weird behaviour for root user

Jeff Ohlhausen — Wed, 11 May 2005 14:44:57 GMT

How do i run the chkrootkit?

Thanks
Jeff

Re: Weird behaviour for root user

Steven E. Protter — Wed, 11 May 2005 15:20:46 GMT

First you have to find it and install it.

That was a problem for me.

I used yum

yum -y install checkrootkit

Its not available via up2date.

This might be the one.

http://rpmfind.net/linux/RPM/PLD/dists/ra/PLD/i386/PLD/RPMS/chkrootkit-0.37-1.i386.html
SEP

Re: Weird behaviour for root user

Jeff Ohlhausen — Wed, 11 May 2005 15:45:40 GMT

Hi,
Thanks again. The only line I saw infected was:
Checking `su'... INFECTED

Should I replace the binary? Can I find it online?
Thanks
Jeff

Re: Weird behaviour for root user

Steven E. Protter — Wed, 11 May 2005 16:24:42 GMT

Your system has been compromised.

I would replace the binary and re-run checkrootkit if possible.

Ideally, I'd reinstall the entire OS, then bastille, and harden the server a great deal prior to exposing it to the Internet again.

SEP

Re: Weird behaviour for root user

Ross Minkov — Wed, 11 May 2005 17:28:27 GMT

Jeff,

I'd reinstall the OS, but if you want to try and clean it up note that chrootkit depends on several system binaries You may want to verify them before running the script (do you have Tripwire? if not use RPM). These binaries are awk, cut, egrep, find, head, id, ls, netstat, ps, strings, sed, and uname. However, if you have known good backup copies of these, you can specify the path to them by using the -p option. For instance, you can copy them to a CD-ROM and then mount it under /mnt/cdrom, you would use a command like this:

# ./chrootkit -p /mnt/cdrom

HTH,
Ross

Re: Weird behaviour for root user

Gopi Sekar — Thu, 12 May 2005 01:18:17 GMT

First remove your machine from network, the hacker must have already installed back doors in your system so to avoid any future attacks through your system first remove it from network.

i would suggest to re-install OS with latest version of it. There is no point in reinstalling same version again since it is known that it is already compromised. use latest version with all security updates.

install tripwire, bastille linux to harden security of your system. tripwire can be used to check the file integrity of your system.

also check if you have any other system on the network for potential compromise. since hackers anticipate that they will get caught they try to have backup plans by having few more compromised machines on the same network.

Regards,
Gopi

Re: Weird behaviour for root user

Jeff Ohlhausen — Mon, 15 Aug 2005 12:03:12 GMT

Thanks everyone.