I opened my log by

tail -f /var/log/messages

and i get the following output

Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c


Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c

this keeps executing every 15 seconds

and when i open the following log

tail -f /var/log/secure

i get

Mar 25 15:04:44 localhost sshd[26788]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Mar 25 15:04:44 localhost sshd[26788]: fatal: Cannot bind any address.
Mar 25 15:04:44 localhost passwd: pam_unix(passwd:chauthtok): password changed for newuser
Mar 25 15:04:44 localhost usermod[26807]: change user `newuser' GID from `0' to `0'


Mar 25 15:04:59 localhost sshd[26826]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Mar 25 15:04:59 localhost sshd[26826]: fatal: Cannot bind any address.
Mar 25 15:04:59 localhost passwd: pam_unix(passwd:chauthtok): password changed for newuser
Mar 25 15:04:59 localhost usermod[26845]: change user `newuser' GID from `0' to `0'


again keeps executing every 15 seconds
A newuser is being created, my /etc/hosts.deny file is getting emptied

some script has been written and i am not able to trace the script.
please anybody could help me trace the script


thanks in advance

Ok...so did you run the "sealert -l" command, as was given to you by the system?? What did it say?
We can try, but you need to tell us what you've done already..how have you tried to 'trace' the script? What have you looked at already? Version/distro of Linux? Is this server internet-facing? DMZ? Internal? How long has this been happening? What has changed recently? ANY details at all????

Basics would be for you to check cron for ALL your users, and the /etc/cron* directories for any entries there. Look for scripts that are sleeping, and look into them. Check SELinux (as your system TOLD you to). Check your /etc/passwd file for any suspicious new users, and remove them, along with their /etc/shadow entries (make BACKUPS first). There are LOTS of other steps to take, depending on your environment, but without details, we can't guess.

1 members found this post helpful.

Atually some other user got into my workstation while i was away and wrote a script and has kept it somewhere that keeps triggering itself every 15 seconds. He is creating a 'newuser' with password as 'newuser' every 15 seconds, the services sshd, network gets restarted and iptables is getting stopped. Also my entries in /etc/hosts.deny is flushed. Apparently he wants access to my workstation via ssh. He also used the ssh-copy-id so that he can access without password, but since i have disabled it in /etc/ssh/sshd_config he cannot access with the copied key. but the newuser he creates gets the root privileges as it also changes its uid and gid to '0'.
I checked all the cron i know from 'crontab -e' to /etc/cron* also i think cron can executed at every iterval of minimum 1 minute, what can make the script run every 15 seconds? perhaps that would help me find where that script resides.
Am using RHEL 5.5

Ok..AGAIN

• Have you run the "sealert -l" command, as was given to you by the system??
• What did it say?
• Check cron for ALL your users.
• Check the /etc/cron* directories for any entries there.
• Look for scripts that are sleeping, and look into them.

Have you done any of these things, as they were suggested to you previously?? If you want to check things with no chance of the other user having access, then unplug your network line. Disable the SSH SERVER on your workstation, along with any other services you can. Get IP and MAC addresses from your system logs.

And most importantly, if this is your work machine, go tell your boss this happened, and tell them who did it. Problem solved.

[*] I tried sealert -l which gave
[*] I checked the cron (All in /etc/cron* and crontab -e for root and newuser) there are no entries in it. Moreover as per my knowledge cron has a minimum interval of atleast 1 min. If there is any method to make a cron entry in seconds please tell that too.
[*]How to check for sleeping scripts? Please help me am new to this.
[*]Here we are in training. So i can solve this once and for all by reinstalling the RHEL 5.5. But its not the solution for this. I have disabled the ssh service but then the script starts it again. Instead of complaining to the manager i wud rather prefer to solve it. its rather learning pachine than work machine.

Use top and watch for the script, it'll be fairly obvious. Note that you can write your own daemon to run as often as you want (at least down to every second).

Check top by user
Daemon init
& basic (pseudo) code content

2 members found this post helpful.

Ok, it gave you a PID of "pid=3756". What is that PID? Run "ps -ef | grep 3756" to find out.
You put a sleep statement in your script, and have cron execute it whenever. If the script fires up and it's already running, then you don't run a fresh copy. If it ISN'T running, fire up.
You look at the running processes, using either top or "ps -ef". I'd run the "ps -ef", and look at the results.
Spell out your words. And if you're in training, wouldn't it be best to ask questions and LEARN?? That's what a training class is for. And if you don't want SSH to start, then you can remove/rename the sshd_config file, which will cause the sshd service to abort on startup. And AGAIN, you can unplug the network line while you diagnose this, since if it's a REMOTE exploit, it's happening over the network.

1 members found this post helpful.

In ps -el I searched for the PID it is giving but its not there, instead the next PID is sleep (i.e if pid=3756 with sealert then in ps -el there is no such pid but the pid=3757 is for sleep process, the parent process for sleep is clock.
clock command determines the processor time. So how can i find what scripts are written for that particular interval?

Thanks TB0ne for suggesting me to look into sealert -l command, I got the PID from it.
But then that PID was not found in ps -el, instead its next PID was "sleep"
so i wrote a script that had an infinite loop and gave ps -el as standard output to a file command associated with that PID. it was named "clock".

Apparantly the script was written inside the script file named "clock" so i searched for the file named "clock" using "find" command, and there i got the script consisting of restarting of sshd, creating a new root user, clearing the hosts.deny etc.

this script was running in background as

Thanks for your support.. cheerz...