Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: RedHat Enterprise Linux Server Edition 5.5
Posts: 13
Rep:
cannot trace the script
I opened my log by
tail -f /var/log/messages
and i get the following output
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
Mar 25 15:03:28 localhost setroubleshoot: SELinux is preventing nscd (nscd_t) "connectto" to /var/run/setrans/.setrans-unix (init_t). For complete SELinux messages. run sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
this keeps executing every 15 seconds
and when i open the following log
tail -f /var/log/secure
i get
Mar 25 15:04:44 localhost sshd[26788]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Mar 25 15:04:44 localhost sshd[26788]: fatal: Cannot bind any address.
Mar 25 15:04:44 localhost passwd: pam_unix(passwd:chauthtok): password changed for newuser
Mar 25 15:04:44 localhost usermod[26807]: change user `newuser' GID from `0' to `0'
Mar 25 15:04:59 localhost sshd[26826]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Mar 25 15:04:59 localhost sshd[26826]: fatal: Cannot bind any address.
Mar 25 15:04:59 localhost passwd: pam_unix(passwd:chauthtok): password changed for newuser
Mar 25 15:04:59 localhost usermod[26845]: change user `newuser' GID from `0' to `0'
again keeps executing every 15 seconds
A newuser is being created, my /etc/hosts.deny file is getting emptied
some script has been written and i am not able to trace the script.
please anybody could help me trace the script
Mar 25 15:03:13 localhost setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/root/null). For complete SELinux messages. run sealert -l d8ca4a3a-f5ff-4639-bba0-61cf598e2b93
this keeps executing every 15 seconds
Ok...so did you run the "sealert -l" command, as was given to you by the system?? What did it say?
Quote:
and when i open the following log
tail -f /var/log/secure
i get
Code:
Mar 25 15:04:44 localhost sshd[26788]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Mar 25 15:04:44 localhost sshd[26788]: fatal: Cannot bind any address.
Mar 25 15:04:44 localhost passwd: pam_unix(passwd:chauthtok): password changed for newuser
Mar 25 15:04:44 localhost usermod[26807]: change user `newuser' GID from `0' to `0'
again keeps executing every 15 seconds A newuser is being created, my /etc/hosts.deny file is getting emptied some script has been written and i am not able to trace the script. please anybody could help me trace the script
We can try, but you need to tell us what you've done already..how have you tried to 'trace' the script? What have you looked at already? Version/distro of Linux? Is this server internet-facing? DMZ? Internal? How long has this been happening? What has changed recently? ANY details at all????
Basics would be for you to check cron for ALL your users, and the /etc/cron* directories for any entries there. Look for scripts that are sleeping, and look into them. Check SELinux (as your system TOLD you to). Check your /etc/passwd file for any suspicious new users, and remove them, along with their /etc/shadow entries (make BACKUPS first). There are LOTS of other steps to take, depending on your environment, but without details, we can't guess.
Distribution: RedHat Enterprise Linux Server Edition 5.5
Posts: 13
Original Poster
Rep:
Quote:
Originally Posted by TB0ne
Ok...so did you run the "sealert -l" command, as was given to you by the system?? What did it say?
We can try, but you need to tell us what you've done already..how have you tried to 'trace' the script? What have you looked at already? Version/distro of Linux? Is this server internet-facing? DMZ? Internal? How long has this been happening? What has changed recently? ANY details at all????
Basics would be for you to check cron for ALL your users, and the /etc/cron* directories for any entries there. Look for scripts that are sleeping, and look into them. Check SELinux (as your system TOLD you to). Check your /etc/passwd file for any suspicious new users, and remove them, along with their /etc/shadow entries (make BACKUPS first). There are LOTS of other steps to take, depending on your environment, but without details, we can't guess.
Atually some other user got into my workstation while i was away and wrote a script and has kept it somewhere that keeps triggering itself every 15 seconds. He is creating a 'newuser' with password as 'newuser' every 15 seconds, the services sshd, network gets restarted and iptables is getting stopped. Also my entries in /etc/hosts.deny is flushed. Apparently he wants access to my workstation via ssh. He also used the ssh-copy-id so that he can access without password, but since i have disabled it in /etc/ssh/sshd_config he cannot access with the copied key. but the newuser he creates gets the root privileges as it also changes its uid and gid to '0'.
I checked all the cron i know from 'crontab -e' to /etc/cron* also i think cron can executed at every iterval of minimum 1 minute, what can make the script run every 15 seconds? perhaps that would help me find where that script resides.
Am using RHEL 5.5
Atually some other user got into my workstation while i was away and wrote a script and has kept it somewhere that keeps triggering itself every 15 seconds. He is creating a 'newuser' with password as 'newuser' every 15 seconds, the services sshd, network gets restarted and iptables is getting stopped. Also my entries in /etc/hosts.deny is flushed. Apparently he wants access to my workstation via ssh. He also used the ssh-copy-id so that he can access without password, but since i have disabled it in /etc/ssh/sshd_config he cannot access with the copied key. but the newuser he creates gets the root privileges as it also changes its uid and gid to '0'.
I checked all the cron i know from 'crontab -e' to /etc/cron* also i think cron can executed at every iterval of minimum 1 minute, what can make the script run every 15 seconds? perhaps that would help me find where that script resides.
Am using RHEL 5.5
Ok..AGAIN
Have you run the "sealert -l" command, as was given to you by the system??
What did it say?
Check cron for ALL your users.
Check the /etc/cron* directories for any entries there.
Look for scripts that are sleeping, and look into them.
Have you done any of these things, as they were suggested to you previously?? If you want to check things with no chance of the other user having access, then unplug your network line. Disable the SSH SERVER on your workstation, along with any other services you can. Get IP and MAC addresses from your system logs.
And most importantly, if this is your work machine, go tell your boss this happened, and tell them who did it. Problem solved.
Distribution: RedHat Enterprise Linux Server Edition 5.5
Posts: 13
Original Poster
Rep:
Quote:
Originally Posted by TB0ne
Ok..AGAIN
Have you run the "sealert -l" command, as was given to you by the system??
What did it say?
Check cron for ALL your users.
Check the /etc/cron* directories for any entries there.
Look for scripts that are sleeping, and look into them.
Have you done any of these things, as they were suggested to you previously?? If you want to check things with no chance of the other user having access, then unplug your network line. Disable the SSH SERVER on your workstation, along with any other services you can. Get IP and MAC addresses from your system logs.
And most importantly, if this is your work machine, go tell your boss this happened, and tell them who did it. Problem solved.
[*] I tried sealert -l which gave
Quote:
# sealert -l 2e99925e-bc2e-4649-a547-058996e1da8c
Summary:
SELinux is preventing nscd (nscd_t) "connectto" to
/var/run/setrans/.setrans-unix (init_t).
Detailed Description:
SELinux denied access requested by nscd. It is not expected that this access is
required by nscd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
[*] I checked the cron (All in /etc/cron* and crontab -e for root and newuser) there are no entries in it. Moreover as per my knowledge cron has a minimum interval of atleast 1 min. If there is any method to make a cron entry in seconds please tell that too.
[*]How to check for sleeping scripts? Please help me am new to this.
[*]Here we are in training. So i can solve this once and for all by reinstalling the RHEL 5.5. But its not the solution for this. I have disabled the ssh service but then the script starts it again. Instead of complaining to the manager i wud rather prefer to solve it. its rather learning pachine than work machine.
Use top and watch for the script, it'll be fairly obvious. Note that you can write your own daemon to run as often as you want (at least down to every second).
Check top by user
Code:
top -u <user>
Daemon init
Code:
nohup mydaemon &
& basic (pseudo) code content
Code:
while 1 # ie forever
do
do_process
sleep(15) # seconds
done
Ok, it gave you a PID of "pid=3756". What is that PID? Run "ps -ef | grep 3756" to find out.
Quote:
[*] I checked the cron (All in /etc/cron* and crontab -e for root and newuser) there are no entries in it. Moreover as per my knowledge cron has a minimum interval of atleast 1 min. If there is any method to make a cron entry in seconds please tell that too.
You put a sleep statement in your script, and have cron execute it whenever. If the script fires up and it's already running, then you don't run a fresh copy. If it ISN'T running, fire up.
Quote:
[*]How to check for sleeping scripts? Please help me am new to this.
You look at the running processes, using either top or "ps -ef". I'd run the "ps -ef", and look at the results.
Quote:
[*]Here we are in training. So i can solve this once and for all by reinstalling the RHEL 5.5. But its not the solution for this. I have disabled the ssh service but then the script starts it again. Instead of complaining to the manager i wud rather prefer to solve it. its rather learning pachine than work machine.
Spell out your words. And if you're in training, wouldn't it be best to ask questions and LEARN?? That's what a training class is for. And if you don't want SSH to start, then you can remove/rename the sshd_config file, which will cause the sshd service to abort on startup. And AGAIN, you can unplug the network line while you diagnose this, since if it's a REMOTE exploit, it's happening over the network.
Distribution: RedHat Enterprise Linux Server Edition 5.5
Posts: 13
Original Poster
Rep:
Quote:
Originally Posted by TB0ne
Ok, it gave you a PID of "pid=3756". What is that PID? Run "ps -ef | grep 3756" to find out.
You put a sleep statement in your script, and have cron execute it whenever. If the script fires up and it's already running, then you don't run a fresh copy. If it ISN'T running, fire up.
You look at the running processes, using either top or "ps -ef". I'd run the "ps -ef", and look at the results.
Spell out your words. And if you're in training, wouldn't it be best to ask questions and LEARN?? That's what a training class is for. And if you don't want SSH to start, then you can remove/rename the sshd_config file, which will cause the sshd service to abort on startup. And AGAIN, you can unplug the network line while you diagnose this, since if it's a REMOTE exploit, it's happening over the network.
In ps -el I searched for the PID it is giving but its not there, instead the next PID is sleep (i.e if pid=3756 with sealert then in ps -el there is no such pid but the pid=3757 is for sleep process, the parent process for sleep is clock.
clock command determines the processor time. So how can i find what scripts are written for that particular interval?
Distribution: RedHat Enterprise Linux Server Edition 5.5
Posts: 13
Original Poster
Rep:
Quote:
Originally Posted by TB0ne
Ok, it gave you a PID of "pid=3756". What is that PID? Run "ps -ef | grep 3756" to find out.
You put a sleep statement in your script, and have cron execute it whenever. If the script fires up and it's already running, then you don't run a fresh copy. If it ISN'T running, fire up.
You look at the running processes, using either top or "ps -ef". I'd run the "ps -ef", and look at the results.
Spell out your words. And if you're in training, wouldn't it be best to ask questions and LEARN?? That's what a training class is for. And if you don't want SSH to start, then you can remove/rename the sshd_config file, which will cause the sshd service to abort on startup. And AGAIN, you can unplug the network line while you diagnose this, since if it's a REMOTE exploit, it's happening over the network.
Thanks TB0ne for suggesting me to look into sealert -l command, I got the PID from it.
But then that PID was not found in ps -el, instead its next PID was "sleep"
so i wrote a script that had an infinite loop and gave ps -el as standard output to a file command associated with that PID. it was named "clock".
Apparantly the script was written inside the script file named "clock" so i searched for the file named "clock" using "find" command, and there i got the script consisting of restarting of sshd, creating a new root user, clearing the hosts.deny etc.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.