LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-30-2014, 07:00 AM   #1
sandeepc04
Member
 
Registered: Jun 2012
Location: India
Posts: 66

Rep: Reputation: Disabled
auto modifying my linux /etc/hosts file


Hi Friends,

one of my friend office getting problem with /etc/hosts file, we have installed RHEL-5.3 in that running DNS/SQUID/DHCP/APACHE services, this server running fine from almost 2 years, last week there were internet disconnecting issue were happening so my friend use to restart the server again and again, whenever he use to restart that time internet working good for 1/2 to 1 Hour.. again same problem, finally he told me this problem he facing from 2-3 days...

I checked all logs and all were good, but when i check with /etc/hosts file it has modified with something like website url, that file became too big, then i thought someone had hacked that server, then temp i deleted that hosts file and kept new hosts file as were before, then internet got worked fine for 2 days, after 2 days again same problem started, i checked secure file, there were no one tried to insert the root, then again i remove that file kept new file, it started to modify auto within 1 hour.

even no one sit on that server for browsing, just we made that server for squid and mail server, internet is passing through that server only for all clients...

I am not understading how is getting modified with some url hosts file...

Please help me on this... how can i get resolve this problme?

Regards,
Sandeep CC
 
Old 04-30-2014, 09:23 AM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,580
Blog Entries: 14

Rep: Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969
Check cron to see if there is a script doing this.

The standard crontab files are in /var/log/cron (each with a the user name that runs them).
Note you should not edit files in /var/log/cron directly unless you bounce crond after doing so. Instead you should use:
crontab -e #< Edit current user's crontab file (e.g. if you're root it would edit /var/log/cron/root)
crontab -u <user> -e #< Edit the specified user's cron instead of current user. This must be run as root.

Additional /etc/cron.* files exists for hourly, daily, weekly that can be edited directly
 
Old 04-30-2014, 09:33 AM   #3
Germany_chris
Senior Member
 
Registered: Jun 2011
Location: Stuttgart, Germany
Distribution: Arch
Posts: 1,021

Rep: Reputation: 479Reputation: 479Reputation: 479Reputation: 479Reputation: 479
chattr +i ??
 
Old 04-30-2014, 09:43 AM   #4
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,580
Blog Entries: 14

Rep: Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969
Quote:
Originally Posted by Germany_chris View Post
chattr +i ??
Uh...

Care to expand on that? Did you perhaps post to the wrong thread?
I don't see an "i" flag for chattr on RHEL5 & RHEL6. What Linux do you have this flag on and what does it do?
Are you suggesting the OP run it against his /etc/hosts?
 
Old 04-30-2014, 09:46 AM   #5
Germany_chris
Senior Member
 
Registered: Jun 2011
Location: Stuttgart, Germany
Distribution: Arch
Posts: 1,021

Rep: Reputation: 479Reputation: 479Reputation: 479Reputation: 479Reputation: 479
Quote:
Originally Posted by MensaWater View Post
Uh...

Care to expand on that? Did you perhaps post to the wrong thread?
I don't see an "i" flag for chattr on RHEL5 & RHEL6. What Linux do you have this flag on and what does it do?
Are you suggesting the OP run it against his /etc/hosts?
It makes whatever file unchangeable

http://en.wikipedia.org/wiki/Chattr

+i is to set the immutable bit to prevent even root from erasing or changing the contents of a file.

I'm suggesting chattr +i /etc/host

http://www.wmduszyk.com/?p=9500&langswitch_lang=en

Last edited by Germany_chris; 04-30-2014 at 09:48 AM.
 
Old 04-30-2014, 10:02 AM   #6
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 12,542
Blog Entries: 23

Rep: Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943
Member Response

Hi,

From 'man chattr';
Quote:
A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to
the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
'man command' is your friend.
 
Old 04-30-2014, 10:08 AM   #7
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,580
Blog Entries: 14

Rep: Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969
Silly me to have thought it would be listed with the flags instead of buried in the middle of a paragraph in the man page.

From what was posted after my query it seems this would likely NOT solve the problem as whatever is changing the file is likely to be running as superuser (because /etc/hosts is generally root:root) and the above says superuser (root) can still change things with that bit.

It also seems a bad idea to me not to spend time figuring out why you're system is breaking and instead just putting in work around fixes like this.
 
1 members found this post helpful.
Old 04-30-2014, 10:12 AM   #8
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 12,542
Blog Entries: 23

Rep: Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943
Member Response

Quote:
Originally Posted by sandeepc04 View Post
Hi Friends,
<snip>
I checked all logs and all were good, but when i check with /etc/hosts file it has modified with something like website url, that file became too big, then i thought someone had hacked that server, then temp i deleted that hosts file and kept new hosts file as were before, then internet got worked fine for 2 days, after 2 days again same problem started, i checked secure file, there were no one tried to insert the root, then again i remove that file kept new file, it started to modify auto within 1 hour.

even no one sit on that server for browsing, just we made that server for squid and mail server, internet is passing through that server only for all clients...

I am not understading how is getting modified with some url hosts file...

Please help me on this... how can i get resolve this problme?

Regards,
Sandeep CC
Please provide the line that is being added to your '/etc/hosts' file that you identified as being added.

Since you are using RHEL, did you contact Red Hat with this issue?

'man hosts';
Quote:
hosts - static table lookup for hostnames

SYNOPSIS
/etc/hosts

DESCRIPTION
This manual page describes the format of the /etc/hosts file. This file is a simple text file that associates IP addresses with hostnames, one line
per IP address. For each host a single line should be present with the following information:

IP_address canonical_hostname [aliases...]

Fields of the entry are separated by any number of blanks and/or tab characters. Text from a "#" character until the end of the line is a comment,
and is ignored. Host names may contain only alphanumeric characters, minus signs ("-"), and periods ("."). They must begin with an alphabetic char-
acter and end with an alphanumeric character. Optional aliases provide for name changes, alternate spellings, shorter hostnames, or generic host-
names (for example, localhost).

The Berkeley Internet Name Domain (BIND) Server implements the Internet name server for UNIX systems. It augments or replaces the /etc/hosts file or
hostname lookup, and frees a host from relying on /etc/hosts being up to date and complete.

In modern systems, even though the host table has been superseded by DNS, it is still widely used for:

bootstrapping
Most systems have a small host table containing the name and address information for important hosts on the local network. This is useful
when DNS is not running, for example during system bootup.

NIS Sites that use NIS use the host table as input to the NIS host database. Even though NIS can be used with DNS, most NIS sites still use the
host table with an entry for all local hosts as a backup.

isolated nodes
Very small sites that are isolated from the network use the host table instead of DNS. If the local information rarely changes, and the net-
work is not connected to the Internet, DNS offers little advantage.
Please notice that '/etc/hosts' is a 'static table lookup for hostnames' so someone or something is making changes to that file. I would look at a rootkit as a potential problem or use chrootkit to see if you have been hacked.

Hope this helps.
 
Old 04-30-2014, 10:28 AM   #9
Germany_chris
Senior Member
 
Registered: Jun 2011
Location: Stuttgart, Germany
Distribution: Arch
Posts: 1,021

Rep: Reputation: 479Reputation: 479Reputation: 479Reputation: 479Reputation: 479
Quote:
Originally Posted by MensaWater View Post
Silly me to have thought it would be listed with the flags instead of buried in the middle of a paragraph in the man page.

From what was posted after my query it seems this would likely NOT solve the problem as whatever is changing the file is likely to be running as superuser (because /etc/hosts is generally root:root) and the above says superuser (root) can still change things with that bit.

It also seems a bad idea to me not to spend time figuring out why you're system is breaking and instead just putting in work around fixes like this.
You can't change it as root either which is the point.

It's a band-aid to get something functional and get work done while the problem is sorted out.
 
Old 04-30-2014, 11:17 AM   #10
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 12,542
Blog Entries: 23

Rep: Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943
Member Response

Hi,
Quote:
Originally Posted by Germany_chris View Post
You can't change it as root either which is the point.

It's a band-aid to get something functional and get work done while the problem is sorted out.
'root' or a 'process possessing the CAP_LINUX_IMMUTABLE capability' can set or clear this attribute.That is the point!

A hacker that can rootkit a machine can become 'root'. Stop the problem by having a secure machine & users that are aware of security habits. Treat the 'superuser' as intended, preserve the 'root' account and do not share access.
 
1 members found this post helpful.
Old 04-30-2014, 11:47 AM   #11
Germany_chris
Senior Member
 
Registered: Jun 2011
Location: Stuttgart, Germany
Distribution: Arch
Posts: 1,021

Rep: Reputation: 479Reputation: 479Reputation: 479Reputation: 479Reputation: 479
Quote:
Originally Posted by onebuck View Post
Hi,


'root' or a 'process possessing the CAP_LINUX_IMMUTABLE capability' can set or clear this attribute.That is the point!

A hacker that can rootkit a machine can become 'root'. Stop the problem by having a secure machine & users that are aware of security habits. Treat the 'superuser' as intended, preserve the 'root' account and do not share access.
Root can undo it but cannot modify the file i.e. root can chatter -i to make it changeable again but it cannot be changed until that is typed. The file is getting corrupted by a url and not showing other signs of a problem that means if anything it's likely drive by not an actual person.

Last edited by Germany_chris; 04-30-2014 at 11:49 AM.
 
Old 04-30-2014, 01:51 PM   #12
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,580
Blog Entries: 14

Rep: Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969Reputation: 969
Quote:
Originally Posted by Germany_chris View Post
Root can undo it but cannot modify the file i.e. root can chatter -i to make it changeable again but it cannot be changed until that is typed. The file is getting corrupted by a url and not showing other signs of a problem that means if anything it's likely drive by not an actual person.
Thanks for the clarification on root and chattr.

Why do you think it is being corrupted by the URL and not by a background process such as cron? I'm not saying it isn't possible but that's what they ought to be looking at if its the case.

Running your web server as root is not a good idea. Of course httpd has to start the first process as root to user the ports below 1000 but it should then spawn the children as "apache" or some other user.
 
Old 04-30-2014, 02:13 PM   #13
Germany_chris
Senior Member
 
Registered: Jun 2011
Location: Stuttgart, Germany
Distribution: Arch
Posts: 1,021

Rep: Reputation: 479Reputation: 479Reputation: 479Reputation: 479Reputation: 479
I don't run any servers but running anything as root is bad..

I also don't know why it's being corrupted I was just trying to solve an immediate problem of keeping people at work while the problem is being tracked down. If he locks it and it still get's corrupted then he obviously has real big issues.

I've spent most of my adult life either in or working for the military so I've been trained to think a particular way. Take care of the 30m targets first then move further out i.e. make it work and keep the user productive then move on and fix the issue. I know this way doesn't jib well for many (just ask my wife) but it's always my immediate reaction and generally serves me well.
 
Old 04-30-2014, 06:18 PM   #14
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 12,542
Blog Entries: 23

Rep: Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943
Member Response

Hi,

Quote:
Originally Posted by Germany_chris View Post
Root can undo it but cannot modify the file i.e. root can chatter -i to make it changeable again but it cannot be changed until that is typed. The file is getting corrupted by a url and not showing other signs of a problem that means if anything it's likely drive by not an actual person.
Superuser/root can change the 'immutable' i flag then make the changes. That is also true for anyone who has access to the same privileges as root be it via local authorization or someone who rootkits the system. Changes to the static file can be made by a person or a rootkit/script/process which modifies the static table file that normally is meant to be static to the system. Apparently the URL means something to the planter. One reason to know what that line content is so we can possibly help the OP diagnose this issue.

Quote:
Originally Posted by Germany_chris View Post
I don't run any servers but running anything as root is bad..
So how do you suggest someone to admin their system? There are times that having root privileges are necessary to maintain a system properly. Be it a server or Desktop. It is important to maintain tight security for root privileges.
 
Old 04-30-2014, 06:36 PM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530Reputation: 3530
In 2012 you (your office) decided that you didn't have the money to do routing properly and elected to use a RHEL-5 machine to perform routing.
In subsequent threads we see you struggling to add all sorts of services to a RHEL-5 machine.
About a year ago you were warned that some of your practices are outright unsafe yet you never followed up on that warning.
In December of 2013 you posted a thread similar to this one.
Is that the same server?


Quote:
Originally Posted by sandeepc04 View Post
Please help me on this... how can i get resolve this problme?
- /etc/hosts is owned by root. This means the perpetrator managed to gain root. This means the server should be isolated pending investigation and then decommissioned until clean reinstallation. Inform users all passwords, data and backups should be marked compromised.
- Since this is your gateway this means all traffic flowing through it may be sniffed and data and credentials siphoned off the server from the start of the root compromise. Inform all LAN and remote users all credentials and data that have passed through this machine should be marked compromised.
- This server may be used as springboard to (adjacent) servers. This means you will have to investigate all machines in your care.
- It may be used to attack servers elsewhere.

*As always I'm interested to help you investigate the matter but measures must be implemented to avoid this in the future.
You or a colleague must become an admin or you must hire somebody to admin servers properly for you.
Otherwise it's all for naught.

Last edited by unSpawn; 05-01-2014 at 02:28 AM. Reason: //Less is more
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Auto detect hosts with Nagios aocferreira Linux - Networking 1 02-17-2011 09:17 PM
Question about modifying hosts at startup. Caldus Linux - Newbie 2 01-04-2008 12:48 PM
Can't logon to Linux after manually modifying /etc/passwd file sgarci Linux - Security 7 01-08-2007 05:45 AM
Modifying /etc/hosts globally (All LAN users) for loopbacking. How? ambayah Linux - General 4 08-28-2004 12:08 PM
modifying hosts.deny and rdesktop Goatdemon Arch 2 11-17-2003 04:20 PM


All times are GMT -5. The time now is 02:22 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration