LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-25-2013, 04:40 AM   #1
vineethsp
LQ Newbie
 
Registered: Mar 2013
Location: India
Distribution: RedHat Enterprise Linux Server Edition 5.5
Posts: 13

Rep: Reputation: Disabled
cannot trace the script


I opened my log by

tail -f /var/log/messages

and i get the following output

Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c


Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c

this keeps executing every 15 seconds

and when i open the following log

tail -f /var/log/secure

i get

Mar 25 15:04:44 localhost sshd[26788]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Mar 25 15:04:44 localhost sshd[26788]: fatal: Cannot bind any address.
Mar 25 15:04:44 localhost passwd: pam_unix(passwd:chauthtok): password changed for newuser
Mar 25 15:04:44 localhost usermod[26807]: change user `newuser' GID from `0' to `0'


Mar 25 15:04:59 localhost sshd[26826]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Mar 25 15:04:59 localhost sshd[26826]: fatal: Cannot bind any address.
Mar 25 15:04:59 localhost passwd: pam_unix(passwd:chauthtok): password changed for newuser
Mar 25 15:04:59 localhost usermod[26845]: change user `newuser' GID from `0' to `0'


again keeps executing every 15 seconds
A newuser is being created, my /etc/hosts.deny file is getting emptied

some script has been written and i am not able to trace the script.
please anybody could help me trace the script


thanks in advance
 
Old 03-25-2013, 09:02 AM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 18,887

Rep: Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258
Quote:
Originally Posted by vineethsp View Post
I opened my log by
tail -f /var/log/messages

and i get the following output
Code:
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
this keeps executing every 15 seconds
Ok...so did you run the "sealert -l" command, as was given to you by the system?? What did it say?
Quote:
and when i open the following log
tail -f /var/log/secure

i get
Code:
Mar 25 15:04:44 localhost sshd[26788]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Mar 25 15:04:44 localhost sshd[26788]: fatal: Cannot bind any address.
Mar 25 15:04:44 localhost passwd: pam_unix(passwd:chauthtok): password changed for newuser
Mar 25 15:04:44 localhost usermod[26807]: change user `newuser' GID from `0' to `0'
again keeps executing every 15 seconds A newuser is being created, my /etc/hosts.deny file is getting emptied some script has been written and i am not able to trace the script. please anybody could help me trace the script
We can try, but you need to tell us what you've done already..how have you tried to 'trace' the script? What have you looked at already? Version/distro of Linux? Is this server internet-facing? DMZ? Internal? How long has this been happening? What has changed recently? ANY details at all????

Basics would be for you to check cron for ALL your users, and the /etc/cron* directories for any entries there. Look for scripts that are sleeping, and look into them. Check SELinux (as your system TOLD you to). Check your /etc/passwd file for any suspicious new users, and remove them, along with their /etc/shadow entries (make BACKUPS first). There are LOTS of other steps to take, depending on your environment, but without details, we can't guess.
 
1 members found this post helpful.
Old 03-26-2013, 09:52 PM   #3
vineethsp
LQ Newbie
 
Registered: Mar 2013
Location: India
Distribution: RedHat Enterprise Linux Server Edition 5.5
Posts: 13

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
Ok...so did you run the "sealert -l" command, as was given to you by the system?? What did it say?

We can try, but you need to tell us what you've done already..how have you tried to 'trace' the script? What have you looked at already? Version/distro of Linux? Is this server internet-facing? DMZ? Internal? How long has this been happening? What has changed recently? ANY details at all????

Basics would be for you to check cron for ALL your users, and the /etc/cron* directories for any entries there. Look for scripts that are sleeping, and look into them. Check SELinux (as your system TOLD you to). Check your /etc/passwd file for any suspicious new users, and remove them, along with their /etc/shadow entries (make BACKUPS first). There are LOTS of other steps to take, depending on your environment, but without details, we can't guess.

Atually some other user got into my workstation while i was away and wrote a script and has kept it somewhere that keeps triggering itself every 15 seconds. He is creating a 'newuser' with password as 'newuser' every 15 seconds, the services sshd, network gets restarted and iptables is getting stopped. Also my entries in /etc/hosts.deny is flushed. Apparently he wants access to my workstation via ssh. He also used the ssh-copy-id so that he can access without password, but since i have disabled it in /etc/ssh/sshd_config he cannot access with the copied key. but the newuser he creates gets the root privileges as it also changes its uid and gid to '0'.
I checked all the cron i know from 'crontab -e' to /etc/cron* also i think cron can executed at every iterval of minimum 1 minute, what can make the script run every 15 seconds? perhaps that would help me find where that script resides.
Am using RHEL 5.5
 
Old 03-27-2013, 09:01 AM   #4
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 18,887

Rep: Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258
Quote:
Originally Posted by vineethsp View Post
Atually some other user got into my workstation while i was away and wrote a script and has kept it somewhere that keeps triggering itself every 15 seconds. He is creating a 'newuser' with password as 'newuser' every 15 seconds, the services sshd, network gets restarted and iptables is getting stopped. Also my entries in /etc/hosts.deny is flushed. Apparently he wants access to my workstation via ssh. He also used the ssh-copy-id so that he can access without password, but since i have disabled it in /etc/ssh/sshd_config he cannot access with the copied key. but the newuser he creates gets the root privileges as it also changes its uid and gid to '0'.
I checked all the cron i know from 'crontab -e' to /etc/cron* also i think cron can executed at every iterval of minimum 1 minute, what can make the script run every 15 seconds? perhaps that would help me find where that script resides.
Am using RHEL 5.5
Ok..AGAIN
  • Have you run the "sealert -l" command, as was given to you by the system??
  • What did it say?
  • Check cron for ALL your users.
  • Check the /etc/cron* directories for any entries there.
  • Look for scripts that are sleeping, and look into them.
Have you done any of these things, as they were suggested to you previously?? If you want to check things with no chance of the other user having access, then unplug your network line. Disable the SSH SERVER on your workstation, along with any other services you can. Get IP and MAC addresses from your system logs.

And most importantly, if this is your work machine, go tell your boss this happened, and tell them who did it. Problem solved.
 
Old 03-27-2013, 11:12 PM   #5
vineethsp
LQ Newbie
 
Registered: Mar 2013
Location: India
Distribution: RedHat Enterprise Linux Server Edition 5.5
Posts: 13

Original Poster
Rep: Reputation: Disabled
Smile

Quote:
Originally Posted by TB0ne View Post
Ok..AGAIN
  • Have you run the "sealert -l" command, as was given to you by the system??
  • What did it say?
  • Check cron for ALL your users.
  • Check the /etc/cron* directories for any entries there.
  • Look for scripts that are sleeping, and look into them.
Have you done any of these things, as they were suggested to you previously?? If you want to check things with no chance of the other user having access, then unplug your network line. Disable the SSH SERVER on your workstation, along with any other services you can. Get IP and MAC addresses from your system logs.

And most importantly, if this is your work machine, go tell your boss this happened, and tell them who did it. Problem solved.
[*] I tried sealert -l which gave
Quote:
# sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c

Summary:

SELinux is preventing nscd (nscd_t) "connectto" to
/var/run/setrans/.setrans-unix (init_t).

Detailed Description:

SELinux denied access requested by nscd. It is not expected that this access is
required by nscd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinu...fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context root:system_r:nscd_t:SystemLow-SystemHigh
Target Context system_u:system_r:init_t
Target Objects /var/run/setrans/.setrans-unix [
unix_stream_socket ]
Source nscd
Source Path /usr/sbin/nscd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages nscd-2.5-49
Target RPM Packages
Policy RPM selinux-policy-2.4.6-279.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.18-194.el5PAE #1
SMP Tue Mar 16 22:00:21 EDT 2010 i686 i686
Alert Count 13312
First Seen Tue Feb 26 15:58:50 2013
Last Seen Thu Mar 28 09:23:05 2013
Local ID 2e99925e-bc2e-4649-a547-058996e1da8c
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1364442785.74:472): avc: denied { connectto } for pid=3756 comm="nscd" path="/var/run/setrans/.setrans-unix" scontext=root:system_r:nscd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket

host=localhost.localdomain type=SYSCALL msg=audit(1364442785.74:472): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa5d080 a2=bf9ff4 a3=bfa5d09a items=0 ppid=3750 pid=3756 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=6 comm="nscd" exe="/usr/sbin/nscd" subj=root:system_r:nscd_t:s0-s0:c0.c1023 key=(null)
[*] I checked the cron (All in /etc/cron* and crontab -e for root and newuser) there are no entries in it. Moreover as per my knowledge cron has a minimum interval of atleast 1 min. If there is any method to make a cron entry in seconds please tell that too.
[*]How to check for sleeping scripts? Please help me am new to this.
[*]Here we are in training. So i can solve this once and for all by reinstalling the RHEL 5.5. But its not the solution for this. I have disabled the ssh service but then the script starts it again. Instead of complaining to the manager i wud rather prefer to solve it. its rather learning pachine than work machine.
 
Old 03-27-2013, 11:24 PM   #6
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,362

Rep: Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377
Use top and watch for the script, it'll be fairly obvious. Note that you can write your own daemon to run as often as you want (at least down to every second).

Check top by user
Code:
top -u <user>
Daemon init
Code:
nohup mydaemon &
& basic (pseudo) code content
Code:
while 1  # ie forever
do
    do_process
    sleep(15)   # seconds
done
 
2 members found this post helpful.
Old 03-28-2013, 09:47 AM   #7
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 18,887

Rep: Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258Reputation: 4258
Quote:
Originally Posted by vineethsp View Post
[*] I tried sealert -l which gave
Ok, it gave you a PID of "pid=3756". What is that PID? Run "ps -ef | grep 3756" to find out.
Quote:
[*] I checked the cron (All in /etc/cron* and crontab -e for root and newuser) there are no entries in it. Moreover as per my knowledge cron has a minimum interval of atleast 1 min. If there is any method to make a cron entry in seconds please tell that too.
You put a sleep statement in your script, and have cron execute it whenever. If the script fires up and it's already running, then you don't run a fresh copy. If it ISN'T running, fire up.
Quote:
[*]How to check for sleeping scripts? Please help me am new to this.
You look at the running processes, using either top or "ps -ef". I'd run the "ps -ef", and look at the results.
Quote:
[*]Here we are in training. So i can solve this once and for all by reinstalling the RHEL 5.5. But its not the solution for this. I have disabled the ssh service but then the script starts it again. Instead of complaining to the manager i wud rather prefer to solve it. its rather learning pachine than work machine.
Spell out your words. And if you're in training, wouldn't it be best to ask questions and LEARN?? That's what a training class is for. And if you don't want SSH to start, then you can remove/rename the sshd_config file, which will cause the sshd service to abort on startup. And AGAIN, you can unplug the network line while you diagnose this, since if it's a REMOTE exploit, it's happening over the network.
 
1 members found this post helpful.
Old 04-01-2013, 01:34 AM   #8
vineethsp
LQ Newbie
 
Registered: Mar 2013
Location: India
Distribution: RedHat Enterprise Linux Server Edition 5.5
Posts: 13

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
Ok, it gave you a PID of "pid=3756". What is that PID? Run "ps -ef | grep 3756" to find out.

You put a sleep statement in your script, and have cron execute it whenever. If the script fires up and it's already running, then you don't run a fresh copy. If it ISN'T running, fire up.

You look at the running processes, using either top or "ps -ef". I'd run the "ps -ef", and look at the results.

Spell out your words. And if you're in training, wouldn't it be best to ask questions and LEARN?? That's what a training class is for. And if you don't want SSH to start, then you can remove/rename the sshd_config file, which will cause the sshd service to abort on startup. And AGAIN, you can unplug the network line while you diagnose this, since if it's a REMOTE exploit, it's happening over the network.
In ps -el I searched for the PID it is giving but its not there, instead the next PID is sleep (i.e if pid=3756 with sealert then in ps -el there is no such pid but the pid=3757 is for sleep process, the parent process for sleep is clock.
clock command determines the processor time. So how can i find what scripts are written for that particular interval?
 
Old 04-13-2013, 02:09 AM   #9
vineethsp
LQ Newbie
 
Registered: Mar 2013
Location: India
Distribution: RedHat Enterprise Linux Server Edition 5.5
Posts: 13

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
Ok, it gave you a PID of "pid=3756". What is that PID? Run "ps -ef | grep 3756" to find out.

You put a sleep statement in your script, and have cron execute it whenever. If the script fires up and it's already running, then you don't run a fresh copy. If it ISN'T running, fire up.

You look at the running processes, using either top or "ps -ef". I'd run the "ps -ef", and look at the results.

Spell out your words. And if you're in training, wouldn't it be best to ask questions and LEARN?? That's what a training class is for. And if you don't want SSH to start, then you can remove/rename the sshd_config file, which will cause the sshd service to abort on startup. And AGAIN, you can unplug the network line while you diagnose this, since if it's a REMOTE exploit, it's happening over the network.

Thanks TB0ne for suggesting me to look into sealert -l command, I got the PID from it.
But then that PID was not found in ps -el, instead its next PID was "sleep"
so i wrote a script that had an infinite loop and gave ps -el as standard output to a file command associated with that PID. it was named "clock".

Apparantly the script was written inside the script file named "clock" so i searched for the file named "clock" using "find" command, and there i got the script consisting of restarting of sshd, creating a new root user, clearing the hosts.deny etc.

this script was running in background as

Quote:
sh clock.sh &
Thanks for your support.. cheerz...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
insllation of gives trace/cmu-trace.cc:1531:9: error: stray \342 in program error rakeshpanchiwala Linux - Newbie 17 04-26-2013 01:28 AM
Sir, While installing ns2.34 on fedora 16 got the error : trace/cmu-trace.cc 1327:22 jeevanpinto Linux - Newbie 2 06-28-2012 03:35 AM
Why the output files (trace file e.g. out.tr) are not same for the same tcl script ? askerwhat Ubuntu 1 06-03-2011 10:46 PM
How to trace and disable the HTTP TRACE method in Apache 1.3.33 with FreeBSD? SomnathG Linux - Security 1 11-11-2008 09:41 AM
"killed" Message - how to trace/back trace ebinjose Linux - Kernel 1 01-29-2008 06:12 AM


All times are GMT -5. The time now is 09:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration