LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-30-2011, 08:03 PM   #1
murray42
LQ Newbie
 
Registered: Jul 2011
Posts: 5

Rep: Reputation: Disabled
Segfault in dirname and su


So here's the scoop. I am running Slackware 13.1 and all was well, I tried to install PHP from source and ran into issues. There are some issues with the install but I am more concerned about some other issues. After installing php I noticed it took a long time to get from entering my password to a usable shell prompt, hitting control+c brought me to a usable prompt but with no colors and the prompt was missing the CWD. I have renamed dircolor and now can log in quickly. Last year I was rooted though a proftp exploit and had a similar symptom, and had to reinstall from scratch. this time I went and downloaded chkrootkit and it indicates system is clean. But su and dirname both segfault when called so I am wondering what to do.
 
Old 07-30-2011, 10:29 PM   #2
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
You should have rkhunter set up right from the beginning of your next system, but now you should unplug your server from the network now and reinstall.
 
0 members found this post helpful.
Old 07-30-2011, 11:11 PM   #3
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 4,651

Rep: Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772
you could try reinstalling the package using upgradepkg --reinstall parameter
 
0 members found this post helpful.
Old 07-30-2011, 11:14 PM   #4
murray42
LQ Newbie
 
Registered: Jul 2011
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by willysr View Post
you could try reinstalling the package using upgradepkg --reinstall parameter
Which pkg to reinstall? I've tried reinstalling coreutils to no avail
 
Old 07-30-2011, 11:54 PM   #5
wildwizard
Member
 
Registered: Apr 2009
Location: Oz
Distribution: slackware64-14.0
Posts: 875

Rep: Reputation: 282Reputation: 282Reputation: 282
su is in shadow
sudo is in sudo
 
Old 07-31-2011, 12:30 AM   #6
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 4,651

Rep: Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772
you can use slackpkg to help you
Code:
willysr@desktop:~$ slackpkg file-search sudo

Looking for sudo in package list. Please wait... DONE

The list below shows the packages that contains "sudo" file.

[ installed ] - sudo-1.7.4p6-i486-1
[uninstalled] - zsh-4.3.11-i486-1

willysr@desktop:~$ slackpkg file-search su

Looking for su in package list. Please wait... DONE

The list below shows the packages that contains "su" file.

[ installed ] - shadow-4.1.4.3-i486-2
[ installed ] - ruby-1.9.1_p431-i486-1
[  upgrade  ] - kdelibs-4.6.5-i486-1alien --> kdelibs-4.5.5-i486-2
[uninstalled] - kde-l10n-es-4.5.5-noarch-3
[uninstalled] - kde-l10n-it-4.5.5-noarch-3
[uninstalled] - kde-l10n-ml-4.5.5-noarch-3
[uninstalled] - kde-l10n-pt_BR-4.5.5-noarch-3
[ installed ] - nmap-5.51-i486-1
[ installed ] - tetex-3.0-i486-8
[ installed ] - xkeyboard-config-2.2.1-noarch-1
After that, you can trim down the possibilities
 
Old 07-31-2011, 08:57 AM   #7
murray42
LQ Newbie
 
Registered: Jul 2011
Posts: 5

Original Poster
Rep: Reputation: Disabled
Thanks folks. I reinstalled shadow, coreutils and no more segfault on su or dirname, BUT after a reboot I can no longer login at console. I type user name hit return and rather than password prompt it returns login prompt. I can login remotely via SSH from my smartphone (server is a home firewall/router/fileserver and webhost for family photos. Currently we don't have a PC due to a bad power supply taking out desktop mobo
 
Old 07-31-2011, 09:20 AM   #8
murray42
LQ Newbie
 
Registered: Jul 2011
Posts: 5

Original Poster
Rep: Reputation: Disabled
Sorry about the disjointed posts just downloaded the LQ app previously was using web interface on my phone so was a bit hard to read and type. Also am somewhat stressed about machine
 
Old 07-31-2011, 12:05 PM   #9
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 4,651

Rep: Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772Reputation: 1772
check the content of your /etc/shadow
probably it's overwritten
 
Old 07-31-2011, 04:23 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by willysr View Post
you could try reinstalling the package using upgradepkg --reinstall parameter
Binaries with common dependencies do not break without reason. If you do not offer to find out the reasons why but instead blithely offer to reinstall binaries as if the cause does not matter at all then your skills IMHO lack necessary foundation. If you do not understand the reasons for performing basic diagnostics before doing anything else please do some research.


Quote:
Originally Posted by Web31337 View Post
now you should unplug your server from the network now and reinstall.
In addition to what I wrote above, with Linux security in mind this is seriously bad advice. I have told you before and quite explicitly you are not to offer that advice. I even gave you the reasons why (#18|#16).


Now I'll move this thread to the Linux Security forum to see if there's any cause for concern.

Last edited by unSpawn; 07-31-2011 at 04:29 PM.
 
Old 07-31-2011, 04:42 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by murray42 View Post
I am running Slackware 13.1 and all was well,
- Was the machine hardened properly before exposing it to the 'net?
- What services does the machine expose (DNS, HTTP, SSH, or what else) and what is provided through the web stack (bulletin boards, web log software, shopping carts, statistics, web-based management panels, what else)?
- Do you keep off-site backups and if you do how far back do they go?


Quote:
Originally Posted by murray42 View Post
I tried to install PHP from source and ran into issues. There are some issues with the install but I am more concerned about some other issues. After installing php I noticed it took a long time to get from entering my password to a usable shell prompt, hitting control+c brought me to a usable prompt (..)
- When did these problems start to manifest themselves?
- Please don't say "issues" but name and describe each one of them as they may be related of provide an indication.


Quote:
Originally Posted by murray42 View Post
this time I went and downloaded chkrootkit and it indicates system is clean. But su and dirname both segfault when called so I am wondering what to do.
- When did this segfaulting start?
- How did you diagnose this other than running Chkrootkit? Looked at login records? Logs? Anything else worth mentioning?
 
1 members found this post helpful.
Old 07-31-2011, 05:44 PM   #12
murray42
LQ Newbie
 
Registered: Jul 2011
Posts: 5

Original Poster
Rep: Reputation: Disabled
Since reinstall last year I use the machine as:

Router/Firewall using homeLanSecurity script for iptables.
DHCP for home network
Fileserver using Samba for my windows 7 box and wii (softmodded streaming videos over SMB with WiiMC)
Subsonic (standalone java web based media streamer)
Static webhost (links to some videos and photos for family)
the only services I intended to expose externally were SSH/HTTP/Subsonic


After the power supply blew (smoke and all) in my windows box I decided to start using the slackware box a desktop so am now using xfce4 as WM basically the only apps I ever run are run ktorrent and firefox.

Problems arose when I decided to install Gallery2 to host the pictures from my wedding and allow people to upload to the server, I had done something similiar 2.5 years ago when my daughter was born but simply hadn't gotten around to reinstalling the application after reformat last year.

I reallized I didn't have PHP installed and so I wen to install the package but the package kept hanging during installpkg. (was distracted by said 2.5 year old) so I decided to simply compile from source and be done with it, (by the time it was finished compiling, mom would be awake with toddler) when I attempted make install I noticed it took a LONG time (10+ minutes) but then it seemed fine.

I enabled modphp in httpd.conf but then ran into 403 errors, played with the DirectoryIndex and added index.php and if I renamed index.html to index.php it worked fine but if I specified index.html it simply spat out the html source. Not having time to mess with it I simply disabled php and figured I would try again another day.

Next day, I logged in at the console and it took appeared to hang while logging in, I hit ctl+c and got bash prompt, but without CWD in the prompt and no directory colors, I then switched virtual terms and logged in again, switched back and ran ps auxw noticed that dircolor was hanging, renamed /bin/dircolor and then could login without delay, I then ran chkroot because I had similar issues in the past. I checked /var/log/messages and noticed that dirname was segfaulting (thus causing installpkg issues) Thats when I tried to su and got segfault as well.


I then attempted to installpkg shadow but then couldn't login at console, fine through SSH

To get a usable (log in to copy wedding photos (just copied to machine this week and haven't made backup yet) machine, I have extracted shadow and coreutils then copied dirname, login and su to there correct places


I am now downloading slack 13.37 and am going to reinstall from scratch hopefully doing a better job of securing the system next time. (rkhunter installed at the getgo) and limit my open services.


Quote:
Originally Posted by unSpawn View Post
- Was the machine hardened properly before exposing it to the 'net?
- What services does the machine expose (DNS, HTTP, SSH, or what else) and what is provided through the web stack (bulletin boards, web log software, shopping carts, statistics, web-based management panels, what else)?
- Do you keep off-site backups and if you do how far back do they go?



- When did these problems start to manifest themselves?
- Please don't say "issues" but name and describe each one of them as they may be related of provide an indication.



- When did this segfaulting start?
- How did you diagnose this other than running Chkrootkit? Looked at login records? Logs? Anything else worth mentioning?
 
Old 08-01-2011, 01:20 AM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by murray42 View Post
I am now downloading slack 13.37 and am going to reinstall from scratch
Before commencing could I suggest you at least run the checks from the "Anything else" link I posted previously?


Quote:
Originally Posted by murray42 View Post
hopefully doing a better job of securing the system next time. (rkhunter installed at the getgo) and limit my open services.
Securing Linux should be straightforward but requires attention and discipline. It also requires more than installing a post-incident tool (as I pointed out earlier to this fellow LQ member who can not be trusted to provide anyone with any with post-incident advice): see the slackware security documentation, the Securing Debian manual and the various SANS Reading Room and OWASP documentation.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] acroread gives me dirname:missing operand slackingclement Slackware 2 07-03-2011 08:24 AM
cd `dirname `which prog`` mzh Linux - General 5 05-02-2011 10:52 AM
gcc complains about files names been the same as dirname nano2 Linux - Software 5 06-23-2008 04:32 AM
How to get the dirname only from pwd? EmLS Linux - General 3 04-21-2006 01:22 AM
Nautilus and dirname drgilberto Programming 0 02-14-2006 02:08 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration