Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 01-16-2012, 04:35 AM   #1
LQ Newbie
Registered: Jun 2010
Posts: 1

Rep: Reputation: 0
All files wiped in /tmp & permissions changed

Hi all
I had a call from a technician on a remote site with a Linux server (redhat ES 5.3) for which I assist with technical help.

What has happened for no apparent reason is that the entire /tmp directory was cleaned out (all files deleted) and file permissions of /tmp changed so that only root could write to it. Similar at the same time a number of sub directories in /var also disappeared.

To make things worse is that the affected machine won't let me make an ssh connection and GDM does not work either, so my only way to see what's going on is to ask the local technician to type command line commands and tell me the results over the phone. (the site is 1500 km away from me!)

What on earth could do something like that? I would consider it unlikely that the local technician could have done it, even unknowingly.


Jan Smit

Last edited by FTJSmit; 01-16-2012 at 04:41 AM.
Old 01-16-2012, 06:05 AM   #2
Senior Member
Registered: Aug 2011
Location: Bangalore, India
Distribution: rhel 5x,6.0,6.2, centOS 5x,6.0,6.2
Posts: 1,194
Blog Entries: 4

Rep: Reputation: 221Reputation: 221Reputation: 221
first thing is you can ask your technician to enable ssh on the remote machine so that you yourself can have a look at the mesh which has been done.

#netstat -ntlp | grep 22
#service sshd status
then have a look at the logs

#cat /var/log/messages
#dmesg  <----if the system is restarted you might get something useful
Old 01-16-2012, 02:12 PM   #3
Senior Member
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 2,317

Rep: Reputation: 947Reputation: 947Reputation: 947Reputation: 947Reputation: 947Reputation: 947Reputation: 947Reputation: 947
If it is a rootkit

If local utilities have been replaced, or an obfuscation module added to the kernel, you MAY not be able to tell what is happening for certain even AFTER you recover access (if you even can).

Restoring ssh access is one start. If that fails, you might have him boot up and grant access using a live-cd image, then get ssh access, mount the drive, and do forensics from there. Running something like ROOTKITHUNTER may help you detect the cause of your issue IF it is malware triggered.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Permissions Changed When I Copied Files Cara25 Linux - Desktop 5 11-07-2006 01:55 AM
how to list all the files in /tmp directory that have been created or changed. y2k6summi Linux - General 1 03-29-2006 10:21 AM
permissions suddenly changed for /tmp rioguia Linux - Security 1 12-12-2004 12:34 PM
/tmp wiped automatically? rob19 Linux - General 4 12-14-2003 09:00 PM
I changed /tmp permissions for Wine, now evolution doesn't work edverb Linux - Software 3 02-28-2003 12:05 AM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 11:00 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration