Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
drwxr-xr-x 23 root root 4096 Jun 20 19:49 /
drwxr-xr-x 2 root root 4096 Jun 20 21:52 /bin
-r-xr-xr-x 1 root root 79388 May 4 22:00 /bin/ps
which is what I'd expect.
Note ps is NOT writeable.
If you cannot account for the placem user & group, I'd suggest you've been rooted.
Re-install is the only safe option ... see Security Forum for more info.
It does look like you have a rootkit on your system. I bet that if you compare this /bin/ps with the one from the package, there is a difference. You really need to reinstall because you don't know that else was altered. Fortunately, the hacker was vary sloppy. There was no reason to change the ownership of /bin/ps.
A hacked /bin/ps program will hide the processes that the hacker has running. Other programs like ls or even the kernel module that reads the filesystem may also be hacked to to hide the hackers files. You will need to examine the filesystem off line (running off a cdrom boot disk) to see them.
You need to check if the ps command has been altered. You should check others as well. Look at running rkhunter and chkrootkit. They will examine the fingerprints of commands like ps and ls. Also, validate the installed packages. For an rpm based system you could run "rpm -qa -V" to validate all of the packages installed by rpm. There will be some config files listed which will be OK. But binaries and library files should not have been altered.
The reason that I am concerned is because a hacker will want to hide their files and their running process from you by altering the commands that are used to look at them, like ls, ps, top, etc. Do you remember the Sony rootkit? They hid any file or process beginning with "$sys$". Even viruses (or is the word viri) using this file name pattern would be hidden from the system.
Also check out who placem is. Did you say that you didn't create that account. Well, for placem to show up as the owner, they need an entry in /etc/passwd and /etc/shadow. In other words, if there shouldn't be a placem user, that this a sign that someone gained root access to be able to add him. Only root could have changed the ownership of /bin/ps and /bin/ls. I highly recommend that you reinstall. It is game over time. It would be a good idea to scan the logs and try to find out if there are indications where the compromise came from. A hacker might have altered the logs however.
THIS IS VERY IMPORTANT (I don't use all upper case very often.)
the ownership of /bin/ps , /bin/ls files on my server have changed to some new user (which is not even created in the system)
Oh yes, indeedy, that new user has been created on the system, or you would not have seen it. It's just that you have not created that new user. Someone else has.
if there shouldn't be a placem user, that this a sign that someone gained root access to be able to add him. Only root could have changed the ownership of /bin/ps and /bin/ls. I highly recommend that you reinstall. It is game over time.
What he said. Reinstallation is necessary. Postponing this is like postponing a root canal, or postponing the treatment of suspected cancer. The longer you wait, the more painful it will be.
You do not seem to understand the advice you are being given.
Somebody has hacked into your computer. They "own" it. Your computer is probably spewing spam and pron and money-laundering all over the internet. You are in big trouble. Even if your computer appears to be working normally, it is not.
You must disconnect it from the internet NOW (or do you want to find the police knocking at your door?).
Rescue only your data files. No configuration files at all. No program files at all.
Reinstall from the beginning. And harden your security.
Agreed that a full system wipe and reinstall as suggested by tredegar is the only solution for your problem. You should read this thread in the security forum for a lot of links to security resources. I also suggest the CERT guide for responding to intrusions.
Please take this seriously -- your computer can be used by the attacker as a spam/malware bot or used to break into other systems. Please disconnect it and do a safe reinstall immediately.