LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 04-02-2005, 05:04 PM   #1
QtCoder
Member
 
Registered: Aug 2003
Location: USA
Distribution: Slackware 12.0 RC1
Posts: 129

Rep: Reputation: 15
sh: line 1: /usr/bin/(swapd): No such file or directory


This happens when I manually try to run one of the init scripts in /etc/rc.d/init.d (I'm using Mandrake 9.2, btw). The script seems to complete successfully, but that message bugs me.

/usr/bin/(swapd) exists. It has permissions -rwx------ and belongs to root. Changing the permissions doesn't work.

What should I do?
 
Old 04-02-2005, 07:47 PM   #2
bigrigdriver
LQ Addict
 
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian Squeeze
Posts: 5,795

Rep: Reputation: 312Reputation: 312Reputation: 312Reputation: 312
First question: since the file belongs to root, are you trying to run it as root?
Second question: when you try to change the permissions, are you logged in as user, or did you su to root and try to change the permissions?
Third question: What is the exact command you issue when you try to run the script?
 
Old 04-03-2005, 09:23 PM   #3
QtCoder
Member
 
Registered: Aug 2003
Location: USA
Distribution: Slackware 12.0 RC1
Posts: 129

Original Poster
Rep: Reputation: 15
Sorry for the lack of clarity. I was in a hurry.

1. First, it isn't just one script that causes the error. Every init script I tried caused it. Yes, I am root when I run them.

2. When I try to change permissions on (swapd), I am root as well. I wasn't clear at all when I said changing permissions doesn't work. I meant to say that changing permissions (on swapd from -rwx------ to anything else) doesn't fix the error message. The act of changing permissions works just fine.

3. This error comes up whenever I try to run any init script in /etc/rc.d/init.d (like httpd or mysql). So, for example, I would use this exact command to start httpd: ./httpd start

4. I've reinstalled the system w/ Mandrake 10.1. End of problem.
 
Old 04-04-2005, 06:00 AM   #4
nnsg
Member
 
Registered: Apr 2004
Distribution: Slackware 9.1/10.1, Mandrake 9.1/10.1
Posts: 75

Rep: Reputation: 15
Hi QtCoder,

The file /usr/bin/(swapd) looks suspicious, maybe you should check for any signs of break-in/rootkit first?
 
Old 04-11-2005, 06:33 PM   #5
QtCoder
Member
 
Registered: Aug 2003
Location: USA
Distribution: Slackware 12.0 RC1
Posts: 129

Original Poster
Rep: Reputation: 15
For the past couple weeks, I've been working furiously on securing the newly reinstalled system. I had decided to use a new hard drive since the other one was beginning to make some abnormally high-pitched noises signalling it's iminent death. After installing Mandrake 10.1, I was satisfied that the problem was gone and I could move on. But, curiosity got the best of me, thanks to nnsg.

I swapped the old hard drive back in so I could do a little forensics work and find out what had happened. I had set up the machine with very loose security (ie. none to speak of, besides the "High" security level provided by msec) because I used it as a learning tool to learn Linux. Well, I installed and ran chkrootkit which revealed a possible Madalin root kit. I'm fairly new to security, so already my adrenaline was pumping. I knew I had an intruder.

I tried running netstat to see anyone that was connected. Nothing abnormal showed up. So, I checked chkrootkit's output again and found that a couple programs had been changed (ls and netstat). I promptly downloaded and installed the appropriate rpms to replace those commands. Netstat then showed an odd connection from port 6667, which is IRC. Interesting. I recorded the IP, then ran netstat again. The 6667 connection was not there anymore. I reinstalled netstat again and the connection showed up. A few seconds later, it was gone again. Either the hacker was there, ready, or a cron job was doing the work of covering his tracks. So, I ran the hacked netstat with a few more options and |more, and when I hit 'q' to end the listing from more, I got an odd error message (more on that later). (One note: during all this, the machine was connected to the Internet because the only way I can administer the system conveniently is remotely from home. I couldn't unplug the cat5 cable to keep the hacker out.)

Netstat had showed that the 6667 connection was supposedly started by kjournald. Running 'ps ax' showed nothing unusual. So, I reinstalled the package containing ps. After running ps again, I saw ./kjournald in the output. That was the backdoor, apparently.

That odd error message from netstat revealed a very unusual directory as well as many 'grep -v' statements meant to exclude certain ports from the output. The error only showed up after piping to more and stopping with 'q'. So, I went to the directory and it turned out to be where the hacker had set up shop. One directory had all the system commands that had replaced mine, including some I didn't know had been changed. The others included an IRC program and the kjournald executable.

So, I backed up all my logs (besides the ones that had been removed by the hacker) and all the files in the hacker's directory. That way, after all this, I could thoroughly scan the logs and hacker-files to squeeze out any information relating to how he got in and any other identifying characteristics (like other IPs).

With the backup complete, I killed the kjournald process and (after reinstalling netstat yet again), saw that the connection was no longer there. I then deleted the hacker's files and checked my cron jobs to make sure kjournald wouldn't start again. Nothing happened. So, I ate, had some coffee, and came back 15 minutes later to see that a new connection had been made by a different IP. Netstat showed no process name attached to the connection, but there was a PID. Shortly after discovering the IP and PID with netstat, netstat was again replaced with a hacked version (I knew that because I ran chkrootkit before and after running netstat, and after, it said netstat was infected). I checked /proc/PID/exe to see what started the process. Right now, I can't remember the name of the process, but that's not important. So, I killed the process and right away, there it was again. I did that several times. Apparently, this ticked the hacker off, because all of a sudden, I started losing all my major shell commands, including rpm which I'd been using to reinstall hacked programs. It was so weird to use a command and 1 second later see, "Command not found." Panic!! Luckily, the shutdown command was still there. I tried shutdown -h now, but after the initial message saying the system was going down, nothing else happened. I was logged out, but the system kept going, and I couldn't log in again. He locked me out of my own system.

I tried calling the place where the system resides to have someone unplug the cat5 cable for me, but no one was there. In about an hour or so, I was there myself and unplugged it. Ahh, relief.

After doing some investigating, I noticed some log entries about unusual telnet traffic. Why did I ever install telnet in the first place? I have concluded that the hacker got in via telnet, but I'm really not sure because I don't have enough information. I found that the original IP was from Amsterdam. I also found 3 other IP's. Now, my objective will be to contact the ISP's of those IP's to report the incident.

So, now that the system is reinstalled, I have taken the time to learn IPTables, PSAD, msec, Tripwire, and more so I can prevent such an attack in the future. I will bet that as soon as the system is live on the Internet again, I will receive some scans/hack attempts from those IP's. This time, I'm ready (or more ready than before, at least).

And that's my story.

Last edited by QtCoder; 04-11-2005 at 06:42 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
bash: /usr/bin/localedef: No such file or directory satimis Linux From Scratch 2 07-28-2005 02:53 AM
Error in man command "sh: line 1: /usr/bin/gtbl: No such file or directory" MinA Slackware 1 09-06-2004 07:36 PM
/usr/bin/find :No such file or Directory errors while trying to compile kernel. Zero-0-Effect Linux From Scratch 2 05-29-2004 04:46 PM
bin/bash:usr/bin/lpr NO SUCH FILE OR DIRECTORY Adibe_Hamm Linux - Newbie 3 10-14-2003 03:30 AM
linux command error message bash: /usr/bin/find: No such file or directory sundaram123 Linux - General 8 04-02-2002 08:18 AM


All times are GMT -5. The time now is 04:04 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration