Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've come accross this thread as I'm experiencing the same problem regarding Segmentation Faults when executing the ls and mkdir commands. I'm running this server at home as a hobby so it's not really a critical machine.
In my case, there is a further behaviour which seems rather strange. I first noticed the following ModProbe message:
Can't locate these modules:
net-pf-14: 1 Time(s)
ppp0: 3 Time(s)
When I tried to log on to the server as root, it got as far as:
Last login: .....
but never got the linux prompt.
I can, however, log in as my user and 'su' root
Once as root, I copied the ls binary from a backup taken prior to the Segmentation Fault, and the command started to work again.
I can log out and log back in as my user and everything still seems to be fine.
The strange thing is that if I try to log in as root it will get stuck at the Last login: ... message and the segmentation faults begin again.
Any ideas?
Problem is you didn't post any true "evidence" for a rootkit, but what I've read from the SF incidents mailinglist this sure would indicate it.
Here's my recipe:
- Stay calm.
- Disconnect the box from the network. If necessary, inform any other parties that have (had) access to accounts on the box. If applicable, cut off net access for the LAN.
- Shut down the box NOW and do not reboot it again.
- Now make a choice: search for evidence or go ahead and mop up.
If you choose for mopping up then proceed with this:
- If you have spare disk space on another box, and provided you want to find out, hook up the disk(s) to that box and make a copy of the entire disk using "dd", booting the other boxens OS, not the one from the disks you just hooked up. Else if you don't have that much spare space you might want to tar up the contents of at least the config dir (/etc) and your temp and log dirs (/var). At least you'll have a chance to look at your logs. You do this by either by hooking up the disk(s) to another box, or booting some rescue cdrom/floppy without touching the OS on the disk.
- If you don't want to find out, save any HUMAN READABLE data of choice: that is NOT binaries and NOT anything else.
- If applicable, audit any other boxen on your LAN before proceeding, then execute the three R's: repartition, reformat and reinstall from scratch. Now harden the box, renew all passwords etc etc.
If you choose for searching for evidence, I'll try to make it as clear as I can but it will not be easy if you're a total newbie I'm afraid and then mopping up may be your only choice.
Whatever you choose, DO NOT reboot the box before it's sterilised.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.