Hi All,

I noticed today that the ownership of /bin/ps , /bin/ls files on my server have changed to some new user (which is not even created in the system) from root.

I am currently logged in as root and when i tried to change the ownership again by the following command:
# chown root:root /bin/ps

It said:
chown: changing ownership of `/bin/ps': Operation not permitted

But why is "root" not having premission to change the ownership!! How can I resolve this problem? Please help.

Please post in this thread what you get when you enter this command at the shell prompt:

(Note that there are four (4) spaces in that command.)

Hi,

# ls -lad / /bin /bin/ps

Output is:
---------
drwxr-xr-x 23 root root 4096 Jun 6 00:38 /
drwxr-xr-x 2 root root 4096 Jun 20 04:09 /bin
-rwxr-xr-x 1 placem placem 62920 Jan 27 2005 /bin/ps


Thank you.

Well, on my FC6 system I get

drwxr-xr-x 23 root root 4096 Jun 20 19:49 /
drwxr-xr-x 2 root root 4096 Jun 20 21:52 /bin
-r-xr-xr-x 1 root root 79388 May 4 22:00 /bin/ps

which is what I'd expect.
Note ps is NOT writeable.
If you cannot account for the placem user & group, I'd suggest you've been rooted.
Re-install is the only safe option ... see Security Forum for more info.

On my system (Mepis65), all the files in /bin are -rwxr-xr-x, and I can change ownership if running as root.

I have seen posts before where root was not allowed to do chown, but I've never seen a definitive answer.

Try:
chown -R root /bin
That should change /bin and everything inside

Well, I even tried by
#chown -R root /bin

but to get the same output again:
chown: changing ownership of `/bin/ps': Operation not permitted.

Is there a way by which I can re-install my "ps" command again? If so, please guide me how?

Look at lsattr /bin/ps.

It does look like you have a rootkit on your system. I bet that if you compare this /bin/ps with the one from the package, there is a difference. You really need to reinstall because you don't know that else was altered. Fortunately, the hacker was vary sloppy. There was no reason to change the ownership of /bin/ps.

A hacked /bin/ps program will hide the processes that the hacker has running. Other programs like ls or even the kernel module that reads the filesystem may also be hacked to to hide the hackers files. You will need to examine the filesystem off line (running off a cdrom boot disk) to see them.

ya, you are right! When I tried #lsattr /bin/ps, I found some attributes of my file changed which were not allowing me to change the ownership of the file.

After running the 'chattr' command and resetting the attributes, I was able to change the ownsership of my file.

So, this solves my problem. Thank you for your help

Don't stop there please!

You need to check if the ps command has been altered. You should check others as well. Look at running rkhunter and chkrootkit. They will examine the fingerprints of commands like ps and ls. Also, validate the installed packages. For an rpm based system you could run "rpm -qa -V" to validate all of the packages installed by rpm. There will be some config files listed which will be OK. But binaries and library files should not have been altered.

The reason that I am concerned is because a hacker will want to hide their files and their running process from you by altering the commands that are used to look at them, like ls, ps, top, etc. Do you remember the Sony rootkit? They hid any file or process beginning with "$sys$". Even viruses (or is the word viri) using this file name pattern would be hidden from the system.

Also check out who placem is. Did you say that you didn't create that account. Well, for placem to show up as the owner, they need an entry in /etc/passwd and /etc/shadow. In other words, if there shouldn't be a placem user, that this a sign that someone gained root access to be able to add him. Only root could have changed the ownership of /bin/ps and /bin/ls. I highly recommend that you reinstall. It is game over time. It would be a good idea to scan the logs and try to find out if there are indications where the compromise came from. A hacker might have altered the logs however.

Quoth weblink_dipti:

Oh yes, indeedy, that new user has been created on the system, or you would not have seen it. It's just that you have not created that new user. Someone else has.

Quoth jschiwal:

What he said. Reinstallation is necessary. Postponing this is like postponing a root canal, or postponing the treatment of suspected cancer. The longer you wait, the more painful it will be.

Do it. Please.

Thank you all for your great advice.

I tested my system with chkrootkit and rkhunter to find some commands bad (but I am able to run these commands), like
/bin/ls [ BAD ]
/bin/ps [ BAD ]
/sbin/ifconfig [ BAD ]
/usr/bin/pstree [ BAD ]

and it also gave:
Rootkit 'SHV5 [ Warning! ]

Can you please help me in getting out of this problem? Is there a way by which I can fix up these commands instead of doing a reinstall?

These commands are not the primary wrong thing with your system. They are there only to hide that wrong thing.

Aspirin won't get you out of doing the root canal.

Do the root canal.

weblink_dipti,

You do not seem to understand the advice you are being given.

Somebody has hacked into your computer. They "own" it. Your computer is probably spewing spam and pron and money-laundering all over the internet. You are in big trouble. Even if your computer appears to be working normally, it is not.

You must disconnect it from the internet NOW (or do you want to find the police knocking at your door?).
Rescue only your data files. No configuration files at all. No program files at all.

Reinstall from the beginning. And harden your security.

Agreed that a full system wipe and reinstall as suggested by tredegar is the only solution for your problem. You should read this thread in the security forum for a lot of links to security resources. I also suggest the CERT guide for responding to intrusions.

Please take this seriously -- your computer can be used by the attacker as a spam/malware bot or used to break into other systems. Please disconnect it and do a safe reinstall immediately.

@ btmiller,

Thank you.

weblink_dipti has been well advised (by many others) as to what to do, but isn't listening. See his post (of today):

http://www.linuxquestions.org/questi...d.php?t=562205

"You can lead a horse to water but you can't make it drink"

Sigh.