LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 06-19-2007, 01:26 AM   #1
weblink_dipti
LQ Newbie
 
Registered: Jun 2007
Posts: 10

Rep: Reputation: 0
/bin/ps ownsership cannot be changed!


Hi All,

I noticed today that the ownership of /bin/ps , /bin/ls files on my server have changed to some new user (which is not even created in the system) from root.

I am currently logged in as root and when i tried to change the ownership again by the following command:
# chown root:root /bin/ps

It said:
chown: changing ownership of `/bin/ps': Operation not permitted

But why is "root" not having premission to change the ownership!! How can I resolve this problem? Please help.
 
Old 06-19-2007, 02:26 AM   #2
wjevans_7d1@yahoo.co
Member
 
Registered: Jun 2006
Location: Mariposa
Distribution: Slackware 9.1
Posts: 938

Rep: Reputation: 30
Please post in this thread what you get when you enter this command at the shell prompt:

Code:
ls -lad / /bin /bin/ps
(Note that there are four (4) spaces in that command.)
 
Old 06-20-2007, 01:01 AM   #3
weblink_dipti
LQ Newbie
 
Registered: Jun 2007
Posts: 10

Original Poster
Rep: Reputation: 0
Hi,

# ls -lad / /bin /bin/ps

Output is:
---------
drwxr-xr-x 23 root root 4096 Jun 6 00:38 /
drwxr-xr-x 2 root root 4096 Jun 20 04:09 /bin
-rwxr-xr-x 1 placem placem 62920 Jan 27 2005 /bin/ps


Thank you.
 
Old 06-20-2007, 08:44 AM   #4
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
Well, on my FC6 system I get

drwxr-xr-x 23 root root 4096 Jun 20 19:49 /
drwxr-xr-x 2 root root 4096 Jun 20 21:52 /bin
-r-xr-xr-x 1 root root 79388 May 4 22:00 /bin/ps

which is what I'd expect.
Note ps is NOT writeable.
If you cannot account for the placem user & group, I'd suggest you've been rooted.
Re-install is the only safe option ... see Security Forum for more info.
 
Old 06-20-2007, 09:37 AM   #5
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 729Reputation: 729Reputation: 729Reputation: 729Reputation: 729Reputation: 729Reputation: 729
On my system (Mepis65), all the files in /bin are -rwxr-xr-x, and I can change ownership if running as root.

I have seen posts before where root was not allowed to do chown, but I've never seen a definitive answer.

Try:
chown -R root /bin
That should change /bin and everything inside
 
Old 06-21-2007, 01:30 AM   #6
weblink_dipti
LQ Newbie
 
Registered: Jun 2007
Posts: 10

Original Poster
Rep: Reputation: 0
Well, I even tried by
#chown -R root /bin

but to get the same output again:
chown: changing ownership of `/bin/ps': Operation not permitted.

Is there a way by which I can re-install my "ps" command again? If so, please guide me how?
 
Old 06-21-2007, 01:50 AM   #7
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Look at lsattr /bin/ps.

It does look like you have a rootkit on your system. I bet that if you compare this /bin/ps with the one from the package, there is a difference. You really need to reinstall because you don't know that else was altered. Fortunately, the hacker was vary sloppy. There was no reason to change the ownership of /bin/ps.

A hacked /bin/ps program will hide the processes that the hacker has running. Other programs like ls or even the kernel module that reads the filesystem may also be hacked to to hide the hackers files. You will need to examine the filesystem off line (running off a cdrom boot disk) to see them.
 
Old 06-22-2007, 01:07 AM   #8
weblink_dipti
LQ Newbie
 
Registered: Jun 2007
Posts: 10

Original Poster
Rep: Reputation: 0
ya, you are right! When I tried #lsattr /bin/ps, I found some attributes of my file changed which were not allowing me to change the ownership of the file.

After running the 'chattr' command and resetting the attributes, I was able to change the ownsership of my file.

So, this solves my problem. Thank you for your help
 
Old 06-22-2007, 06:33 AM   #9
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Don't stop there please!

You need to check if the ps command has been altered. You should check others as well. Look at running rkhunter and chkrootkit. They will examine the fingerprints of commands like ps and ls. Also, validate the installed packages. For an rpm based system you could run "rpm -qa -V" to validate all of the packages installed by rpm. There will be some config files listed which will be OK. But binaries and library files should not have been altered.

The reason that I am concerned is because a hacker will want to hide their files and their running process from you by altering the commands that are used to look at them, like ls, ps, top, etc. Do you remember the Sony rootkit? They hid any file or process beginning with "$sys$". Even viruses (or is the word viri) using this file name pattern would be hidden from the system.

Also check out who placem is. Did you say that you didn't create that account. Well, for placem to show up as the owner, they need an entry in /etc/passwd and /etc/shadow. In other words, if there shouldn't be a placem user, that this a sign that someone gained root access to be able to add him. Only root could have changed the ownership of /bin/ps and /bin/ls. I highly recommend that you reinstall. It is game over time. It would be a good idea to scan the logs and try to find out if there are indications where the compromise came from. A hacker might have altered the logs however.
 
Old 06-22-2007, 07:12 AM   #10
wjevans_7d1@yahoo.co
Member
 
Registered: Jun 2006
Location: Mariposa
Distribution: Slackware 9.1
Posts: 938

Rep: Reputation: 30
THIS IS VERY IMPORTANT (I don't use all upper case very often.)

Quoth weblink_dipti:

Quote:
the ownership of /bin/ps , /bin/ls files on my server have changed to some new user (which is not even created in the system)
Oh yes, indeedy, that new user has been created on the system, or you would not have seen it. It's just that you have not created that new user. Someone else has.

Quoth jschiwal:

Quote:
if there shouldn't be a placem user, that this a sign that someone gained root access to be able to add him. Only root could have changed the ownership of /bin/ps and /bin/ls. I highly recommend that you reinstall. It is game over time.
What he said. Reinstallation is necessary. Postponing this is like postponing a root canal, or postponing the treatment of suspected cancer. The longer you wait, the more painful it will be.

Do it. Please.
 
Old 06-23-2007, 02:16 AM   #11
weblink_dipti
LQ Newbie
 
Registered: Jun 2007
Posts: 10

Original Poster
Rep: Reputation: 0
Thank you all for your great advice.

I tested my system with chkrootkit and rkhunter to find some commands bad (but I am able to run these commands), like
/bin/ls [ BAD ]
/bin/ps [ BAD ]
/sbin/ifconfig [ BAD ]
/usr/bin/pstree [ BAD ]

and it also gave:
Rootkit 'SHV5 [ Warning! ]

Can you please help me in getting out of this problem? Is there a way by which I can fix up these commands instead of doing a reinstall?

Last edited by weblink_dipti; 06-23-2007 at 03:41 AM.
 
Old 06-23-2007, 09:04 AM   #12
wjevans_7d1@yahoo.co
Member
 
Registered: Jun 2006
Location: Mariposa
Distribution: Slackware 9.1
Posts: 938

Rep: Reputation: 30
These commands are not the primary wrong thing with your system. They are there only to hide that wrong thing.

Aspirin won't get you out of doing the root canal.

Do the root canal.
 
Old 06-23-2007, 09:42 AM   #13
tredegar
LQ 5k Club
 
Registered: May 2003
Location: London, UK
Distribution: Debian "Jessie"
Posts: 6,038

Rep: Reputation: 373Reputation: 373Reputation: 373Reputation: 373
weblink_dipti,

You do not seem to understand the advice you are being given.

Somebody has hacked into your computer. They "own" it. Your computer is probably spewing spam and pron and money-laundering all over the internet. You are in big trouble. Even if your computer appears to be working normally, it is not.

You must disconnect it from the internet NOW (or do you want to find the police knocking at your door?).
Rescue only your data files. No configuration files at all. No program files at all.

Reinstall from the beginning. And harden your security.
 
Old 06-23-2007, 03:35 PM   #14
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,165

Rep: Reputation: 330Reputation: 330Reputation: 330Reputation: 330
Agreed that a full system wipe and reinstall as suggested by tredegar is the only solution for your problem. You should read this thread in the security forum for a lot of links to security resources. I also suggest the CERT guide for responding to intrusions.

Please take this seriously -- your computer can be used by the attacker as a spam/malware bot or used to break into other systems. Please disconnect it and do a safe reinstall immediately.
 
Old 06-23-2007, 05:20 PM   #15
tredegar
LQ 5k Club
 
Registered: May 2003
Location: London, UK
Distribution: Debian "Jessie"
Posts: 6,038

Rep: Reputation: 373Reputation: 373Reputation: 373Reputation: 373
@ btmiller,

Thank you.

weblink_dipti has been well advised (by many others) as to what to do, but isn't listening. See his post (of today):

http://www.linuxquestions.org/questi...d.php?t=562205

"You can lead a horse to water but you can't make it drink"

Sigh.
 
  


Reply

Tags
bin, chown, linux, permissions


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sudo /usr/bin/chroot /home/chroot /bin/su - xxx| /bin/su: user xxx does not exist saavik Linux - General 3 07-04-2007 11:30 AM
Installed Ubuntu but it changed my boot loader. I want this changed... mdorries Linux - Distributions 8 05-31-2007 09:13 PM
Installing .bin-files, leave the file in /usr/local/bin/ ? lagu2653 Linux - Software 1 11-08-2005 09:30 PM
Stupid mistake - changed root shell to /bin/false Kholnuu Linux - General 8 01-04-2005 04:48 AM
Newbie needs help Installing j2sdk-1_4_2-nb_3_5_1-bin-linux.bin bendoku Linux - Newbie 5 10-11-2003 10:27 AM


All times are GMT -5. The time now is 06:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration