Segmentation fault in commands like ls , ln, mkdir
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Originally posted by mad_ady If it's a server, are you sure you weren't being hacked? Maybe someone messed up your system... I would advise a clean reinstall in this case.
If you haven't been hacked, I don't know what happened... (Stay tuned, maybe someone has an explanation).
My system was working fine , Suddenly one day i found my system showing an error eth0 : promiscuous mode enabled after that i removed settings of my lancard but and promiscuous mode problem was resolved
Is this your personal box or one on a professional network?
If this is one on a professional network, and you do not run any "sniffer" (or libpcap using) applications, you will first report this incident to the administrator. If this a box in a SOHO network you control, you will prepare for disconnecting both physical ethernet connections and start investigating yourself. Apart from the possibilities I mentioned, having a device enter promiscuous mode does not happen all by itself. If you checked promiscuous mode using only "ifconfig", don't be surprised if "ip" (if installed) will still show it in promiscuous mode.
but the segmentation fault still exist it gives the segmentation fault when commands like ls, ln, df are executed
This could be an indication there is a problem with one of the crucial libraries in /lib, or a matter of circumventing usage, a compromise.
But i am very much sure that it wasn't hacked
If you are so sure, please post a verbose report of what you did to determine that it was not compromised. Til you prove otherwise I am going to assert it is.
Making sure now one can use the box until determined secure will be your first task. This includes alerting anyone who had an account at the box or who relied on data from that box.
Next hook up the HD to another box and make a "dd" copy of the partitions if you want to have a go at determining what did go wrong. If you don't want to know, reboot the box with a rescue CD and save at least a copy off the logs, login records and the output of running "find" on all partitions. If you have an integrity checker like Aide, Samhain or tripwire, use it. A very weak alternative would be to verify the files on the system using the rpm database, but if you don't have any of the forementioned checkers installed, do so and save the output.
If you have to save files off the box, make sure you only copy *human readable* files, consider the rest lost.
Now reformat the box (*do* reformat) and install from scratch. Be sure to change all passes used on the box *and* network, secure and harden the box and start investigating the other boxen on the LAN.
Without a verbose report of what you did to determine that the box was not compromised and with the data you got off of the system,
I would like to invite you to open a thread in the Linux - Security forum and point this thread that way, or request the moderator to move this thread overthere.
Originally posted by unSpawn My system was working fine , Suddenly one day i found my system showing an error eth0 : promiscuous mode enabled after that i removed settings of my lancard but and promiscuous mode problem was resolved
Is this your personal box or one on a professional network?
If this is one on a professional network, and you do not run any "sniffer" (or libpcap using) applications, you will first report this incident to the administrator. If this a box in a SOHO network you control, you will prepare for disconnecting both physical ethernet connections and start investigating yourself. Apart from the possibilities I mentioned, having a device enter promiscuous mode does not happen all by itself. If you checked promiscuous mode using only "ifconfig", don't be surprised if "ip" (if installed) will still show it in promiscuous mode.
but the segmentation fault still exist it gives the segmentation fault when commands like ls, ln, df are executed
This could be an indication there is a problem with one of the crucial libraries in /lib, or a matter of circumventing usage, a compromise.
But i am very much sure that it wasn't hacked
If you are so sure, please post a verbose report of what you did to determine that it was not compromised. Til you prove otherwise I am going to assert it is.
Making sure now one can use the box until determined secure will be your first task. This includes alerting anyone who had an account at the box or who relied on data from that box.
Next hook up the HD to another box and make a "dd" copy of the partitions if you want to have a go at determining what did go wrong. If you don't want to know, reboot the box with a rescue CD and save at least a copy off the logs, login records and the output of running "find" on all partitions. If you have an integrity checker like Aide, Samhain or tripwire, use it. A very weak alternative would be to verify the files on the system using the rpm database, but if you don't have any of the forementioned checkers installed, do so and save the output.
If you have to save files off the box, make sure you only copy *human readable* files, consider the rest lost.
Now reformat the box (*do* reformat) and install from scratch. Be sure to change all passes used on the box *and* network, secure and harden the box and start investigating the other boxen on the LAN.
Without a verbose report of what you did to determine that the box was not compromised and with the data you got off of the system,
I would like to invite you to open a thread in the Linux - Security forum and point this thread that way, or request the moderator to move this thread overthere.
Thanks a lot for your reply
But i am not an hardcore linux user
I'm not very well seasoned where it comes to security, and I don't know what promiscuous mode means. BUT, I can offer this:
With the help of one other person (more experienced than I am with *nix), I manage several Linux servers at my company. Friday evening we started experiencing something similar to you on 2 of the Linux boxes.
Errors appeared all over the place on the machines, each running RH7.3.
Simple, fundamental commands such as ls failed with a Segmentation Fault error.
It turns out, we had, believe it or not, a Linux virus. Until then we had always known such things existed, but didn't really believe it was anything worth worrying about.
Well, one of the boxes was fortunately not in production yet, so I reinstalled it from scratch. On the other box we tarred a complete copy of bin/ sbin/, etc.... and copied it to the snafu'd machine, which allowed us to install and run a Linux virus-scan/cleaner.
I don't know if this is your problem, but it might be worth checking into.
Originally posted by NoahsMyBro I'm not very well seasoned where it comes to security, and I don't know what promiscuous mode means. BUT, I can offer this:
With the help of one other person (more experienced than I am with *nix), I manage several Linux servers at my company. Friday evening we started experiencing something similar to you on 2 of the Linux boxes.
Errors appeared all over the place on the machines, each running RH7.3.
Simple, fundamental commands such as ls failed with a Segmentation Fault error.
It turns out, we had, believe it or not, a Linux virus. Until then we had always known such things existed, but didn't really believe it was anything worth worrying about.
Well, one of the boxes was fortunately not in production yet, so I reinstalled it from scratch. On the other box we tarred a complete copy of bin/ sbin/, etc.... and copied it to the snafu'd machine, which allowed us to install and run a Linux virus-scan/cleaner.
I don't know if this is your problem, but it might be worth checking into.
First of all I'd say you ppl had some service or app compromised. Chances it actually is Jac are low. Really low.
Thanks a lot for your reply
But i am not an hardcore linux user
That's why we're here for, to help you. but if you don't give enough feedback, then we can't help.
I did not understood what you meant to say.
What part did you not understand?
And you don't want to make some effort trying to?
Originally posted by unSpawn First of all I'd say you ppl had some service or app compromised. Chances it actually is Jac are low. Really low.
Thanks a lot for your reply
But i am not an hardcore linux user
That's why we're here for, to help you. but if you don't give enough feedback, then we can't help.
I did not understood what you meant to say.
What part did you not understand?
And you don't want to make some effort trying to?
Yes unspawn
You are perfectly correct, it is not Jac
I verified the the Files with the vaccine and nothing was found
Probably some other problem
The Problem is still there ...
but suddenly the ls command is start to work
Don't assume that everything is allright if ls works now. I would suggest you do a clean reinstall because otherwise you might have nasty problems in the future.
Huzz, I'll try this one more time because I think english is not your first language, right?
You have a problem with your Linux PC.
You will need to see where the problem is.
For some problems it is easy to find a solution.
For other problems it is not, because it is not easy to see what exactly causes a problem.
I don't know what else to say to get this message through to you, so: if you want to fix it, read my first post again.
If you do not want to fix it, format the harddrive(s) and install Linux again. Fixing your current installation is NOT going to fix things in the long run.
Originally posted by unSpawn Huzz, I'll try this one more time because I think english is not your first language, right?
You have a problem with your Linux PC.
You will need to see where the problem is.
For some problems it is easy to find a solution.
For other problems it is not, because it is not easy to see what exactly causes a problem.
I don't know what else to say to get this message through to you, so: if you want to fix it, read my first post again.
If you do not want to fix it, format the harddrive(s) and install Linux again. Fixing your current installation is NOT going to fix things in the long run.
I understand that you are warning me about my server that it has been hacked.
I just want to be double confirm before going ahead and also want to find how did some got into because if he has done it once, He can do it again and i cannot afford that.
I am very much grateful for your help ...
I am trying best my best for finding the loopholes of myt current system so that i can avoid it in the next installation.
Please tell me clearly if you 100% think that i have been hacked by someone.
I understand that you are warning me about my server that it has been hacked.
I just want to be double confirm before going ahead and also want to find how did some got into because if he has done it once, He can do it again and i cannot afford that.
I don't know what did it, but I am glad to find I finally got through to you... I will help you find out and harden your system. You will have to read carefully, make some decisions, perform tasks and provide answers. Without doing the tasks properly and answering in full, it will be of no use and only waste your and my time.
I am trying best my best for finding the loopholes of myt current system so that i can avoid it in the next installation.
We'll get to that.
Please tell me clearly if you 100% think that i have been hacked by someone.
No, that is what your "evidence" will tell me. I'll help you determine it, showing you ways to find out.
---
The main part starts here: Decision #1.
Decide if you want to find out how the intruder got in. To help you decide if it can produce any usable results, ask yourself these questions and post the answers (be honest, please, covering up administration mistakes will waste time) chronologically, cleary and IN FULL:
1a. On what date (yyyy/mm/dd) did you find "wierd" lines in the logfiles, abnormal system behaviour or where you alerted something was wrong?
1b. What actions did you take then?
1c. Did that, or does it still continue?
1d. Was the system rebooted?
1e. Was there system or user software removed, upgraded or installed on or after that date?
1f. Was a backup made on or after that date?
1g. Was a backup restored on or after that date?
1h. Was there any system auditing done on or after that date?
1i. Is the system still in use?
1f. Is the system is not in use, was it shut down cleanly, and on what date?
Decision #2.
Decide if you have the time to find out how the intruder got in. Under Linux there is no single, userfriendly way to retrieve the details of an attack, especially if a system was kept in use after the (possible) compromise. And even if information was preserved it depends on the state and usage of the system at the time, the way the compromise was done and the expertise to interprete the remains. No guarantee is possible. Also, if filesystems other than Ext2 or Ext3 where used, skip and proceed to formatting.
To give you an indication of time per GB diskspace from "dd" to undeleted "results" using T.C.T, TCT-utils and TASK: roughly between 4 and 8 hours. This is excluding interpreting what you will find.
There can be workarounds, but effectivity of those depends on you answering the questions.
* If the answer to 1b contained any actions mentioned under e,g or i, consider much if not all "evidence" gone: proceed to formatting.
* If the time between finding "weird" system behaviour and the "dd" backup is more than one day, and the system is in use, consider much if not all "evidence" gone: proceed to formatting.
! If the answer to 1f is "yes", take that backup out of the backup sequence, mark it "DO NOT USE" and store in a place where no one can actually rewrite it or use it. If it was a full backup it may come in handy.
Again, these questions are necessary.
Please answer them correctly and we'll decide what to do in your situation.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
