HPE Community
Operating System - Linux
1828026 Members
2060 Online
109973 Solutions
New Discussion

Weird behaviour for root user

 
SOLVED
Go to solution
Jeff Ohlhausen
Frequent Advisor

‎05-11-2005 07:38 AM

‎05-11-2005 07:38 AM

Weird behaviour for root user

Hello,
I am running a red hat server. Up until recently it has been functioning perfectly. However, now when I log in as the root user (via sudo) I have about a minute to execute commands then it logs out to the user I was.

After it logs me out then I can't type anything. Well - I can type but it only takes one letter and then says 'command not found' (not suprisingly). Anybody have any idea what is going on and how I might fix it?
Thanks
Jeff
Do or do not - there is no try.
0 Kudos
8 REPLIES 8
Steven E. Protter
Exalted Contributor

‎05-11-2005 07:43 AM

‎05-11-2005 07:43 AM

Solution

Re: Weird behaviour for root user

Check the PATH variable.

Also run checkrootkit because your box may have been hacked.

Its also possible that the /usr filesystem is not mounted and a lot of commands are missing.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Jeff Ohlhausen
Frequent Advisor

‎05-11-2005 07:44 AM

‎05-11-2005 07:44 AM

Re: Weird behaviour for root user

How do i run the chkrootkit?

Thanks
Jeff
Do or do not - there is no try.
0 Kudos
Steven E. Protter
Exalted Contributor

‎05-11-2005 08:20 AM

‎05-11-2005 08:20 AM

Re: Weird behaviour for root user

First you have to find it and install it.

That was a problem for me.

I used yum

yum -y install checkrootkit

Its not available via up2date.

This might be the one.

http://rpmfind.net/linux/RPM/PLD/dists/ra/PLD/i386/PLD/RPMS/chkrootkit-0.37-1.i386.html
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Jeff Ohlhausen
Frequent Advisor

‎05-11-2005 08:45 AM

‎05-11-2005 08:45 AM

Re: Weird behaviour for root user

Hi,
Thanks again. The only line I saw infected was:
Checking `su'... INFECTED

Should I replace the binary? Can I find it online?
Thanks
Jeff
Do or do not - there is no try.
0 Kudos
Steven E. Protter
Exalted Contributor

‎05-11-2005 09:24 AM

‎05-11-2005 09:24 AM

Re: Weird behaviour for root user

Your system has been compromised.

I would replace the binary and re-run checkrootkit if possible.

Ideally, I'd reinstall the entire OS, then bastille, and harden the server a great deal prior to exposing it to the Internet again.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Ross Minkov
Esteemed Contributor

‎05-11-2005 10:28 AM

‎05-11-2005 10:28 AM

Re: Weird behaviour for root user

Jeff,

I'd reinstall the OS, but if you want to try and clean it up note that chrootkit depends on several system binaries You may want to verify them before running the script (do you have Tripwire? if not use RPM). These binaries are awk, cut, egrep, find, head, id, ls, netstat, ps, strings, sed, and uname. However, if you have known good backup copies of these, you can specify the path to them by using the -p option. For instance, you can copy them to a CD-ROM and then mount it under /mnt/cdrom, you would use a command like this:

# ./chrootkit -p /mnt/cdrom

HTH,
Ross
0 Kudos
Gopi Sekar
Honored Contributor

‎05-11-2005 06:18 PM

‎05-11-2005 06:18 PM

Re: Weird behaviour for root user


First remove your machine from network, the hacker must have already installed back doors in your system so to avoid any future attacks through your system first remove it from network.

i would suggest to re-install OS with latest version of it. There is no point in reinstalling same version again since it is known that it is already compromised. use latest version with all security updates.

install tripwire, bastille linux to harden security of your system. tripwire can be used to check the file integrity of your system.

also check if you have any other system on the network for potential compromise. since hackers anticipate that they will get caught they try to have backup plans by having few more compromised machines on the same network.

Regards,
Gopi
Never Never Never Giveup
0 Kudos
Jeff Ohlhausen
Frequent Advisor

‎08-15-2005 05:03 AM

‎08-15-2005 05:03 AM

Re: Weird behaviour for root user

Thanks everyone.
Do or do not - there is no try.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.