LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 01-16-2012, 05:35 AM   #1
FTJSmit
LQ Newbie
 
Registered: Jun 2010
Posts: 1

Rep: Reputation: 0
All files wiped in /tmp & permissions changed


Hi all
I had a call from a technician on a remote site with a Linux server (redhat ES 5.3) for which I assist with technical help.

What has happened for no apparent reason is that the entire /tmp directory was cleaned out (all files deleted) and file permissions of /tmp changed so that only root could write to it. Similar at the same time a number of sub directories in /var also disappeared.

To make things worse is that the affected machine won't let me make an ssh connection and GDM does not work either, so my only way to see what's going on is to ask the local technician to type command line commands and tell me the results over the phone. (the site is 1500 km away from me!)

What on earth could do something like that? I would consider it unlikely that the local technician could have done it, even unknowingly.

Greetings

Jan Smit

Last edited by FTJSmit; 01-16-2012 at 05:41 AM.
 
Old 01-16-2012, 07:05 AM   #2
deep27ak
Senior Member
 
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,190
Blog Entries: 4

Rep: Reputation: 220Reputation: 220Reputation: 220
first thing is you can ask your technician to enable ssh on the remote machine so that you yourself can have a look at the mesh which has been done.

Code:
#netstat -ntlp | grep 22
#service sshd status
then have a look at the logs

Code:
#cat /var/log/messages
#dmesg  <----if the system is restarted you might get something useful
 
Old 01-16-2012, 03:12 PM   #3
wpeckham
Member
 
Registered: Apr 2010
Location: USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix
Posts: 832

Rep: Reputation: 181Reputation: 181
If it is a rootkit

If local utilities have been replaced, or an obfuscation module added to the kernel, you MAY not be able to tell what is happening for certain even AFTER you recover access (if you even can).

Restoring ssh access is one start. If that fails, you might have him boot up and grant access using a live-cd image, then get ssh access, mount the drive, and do forensics from there. Running something like ROOTKITHUNTER may help you detect the cause of your issue IF it is malware triggered.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Permissions Changed When I Copied Files Cara25 Linux - Desktop 5 11-07-2006 02:55 AM
how to list all the files in /tmp directory that have been created or changed. y2k6summi Linux - General 1 03-29-2006 11:21 AM
permissions suddenly changed for /tmp rioguia Linux - Security 1 12-12-2004 01:34 PM
/tmp wiped automatically? rob19 Linux - General 4 12-14-2003 10:00 PM
I changed /tmp permissions for Wine, now evolution doesn't work edverb Linux - Software 3 02-28-2003 01:05 AM


All times are GMT -5. The time now is 04:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration