Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I noticed today that the ownership of /bin/ps , /bin/ls files on my server have changed to some new user (which is not even created in the system) from root.
I am currently logged in as root and when i tried to change the ownership again by the following command:
# chown root:root /bin/ps
It said:
chown: changing ownership of `/bin/ps': Operation not permitted
But why is "root" not having premission to change the ownership!! How can I resolve this problem? Please help.
drwxr-xr-x 23 root root 4096 Jun 20 19:49 /
drwxr-xr-x 2 root root 4096 Jun 20 21:52 /bin
-r-xr-xr-x 1 root root 79388 May 4 22:00 /bin/ps
which is what I'd expect.
Note ps is NOT writeable.
If you cannot account for the placem user & group, I'd suggest you've been rooted.
Re-install is the only safe option ... see Security Forum for more info.
It does look like you have a rootkit on your system. I bet that if you compare this /bin/ps with the one from the package, there is a difference. You really need to reinstall because you don't know that else was altered. Fortunately, the hacker was vary sloppy. There was no reason to change the ownership of /bin/ps.
A hacked /bin/ps program will hide the processes that the hacker has running. Other programs like ls or even the kernel module that reads the filesystem may also be hacked to to hide the hackers files. You will need to examine the filesystem off line (running off a cdrom boot disk) to see them.
ya, you are right! When I tried #lsattr /bin/ps, I found some attributes of my file changed which were not allowing me to change the ownership of the file.
After running the 'chattr' command and resetting the attributes, I was able to change the ownsership of my file.
So, this solves my problem. Thank you for your help
You need to check if the ps command has been altered. You should check others as well. Look at running rkhunter and chkrootkit. They will examine the fingerprints of commands like ps and ls. Also, validate the installed packages. For an rpm based system you could run "rpm -qa -V" to validate all of the packages installed by rpm. There will be some config files listed which will be OK. But binaries and library files should not have been altered.
The reason that I am concerned is because a hacker will want to hide their files and their running process from you by altering the commands that are used to look at them, like ls, ps, top, etc. Do you remember the Sony rootkit? They hid any file or process beginning with "$sys$". Even viruses (or is the word viri) using this file name pattern would be hidden from the system.
Also check out who placem is. Did you say that you didn't create that account. Well, for placem to show up as the owner, they need an entry in /etc/passwd and /etc/shadow. In other words, if there shouldn't be a placem user, that this a sign that someone gained root access to be able to add him. Only root could have changed the ownership of /bin/ps and /bin/ls. I highly recommend that you reinstall. It is game over time. It would be a good idea to scan the logs and try to find out if there are indications where the compromise came from. A hacker might have altered the logs however.
THIS IS VERY IMPORTANT (I don't use all upper case very often.)
Quoth weblink_dipti:
Quote:
the ownership of /bin/ps , /bin/ls files on my server have changed to some new user (which is not even created in the system)
Oh yes, indeedy, that new user has been created on the system, or you would not have seen it. It's just that you have not created that new user. Someone else has.
Quoth jschiwal:
Quote:
if there shouldn't be a placem user, that this a sign that someone gained root access to be able to add him. Only root could have changed the ownership of /bin/ps and /bin/ls. I highly recommend that you reinstall. It is game over time.
What he said. Reinstallation is necessary. Postponing this is like postponing a root canal, or postponing the treatment of suspected cancer. The longer you wait, the more painful it will be.
I tested my system with chkrootkit and rkhunter to find some commands bad (but I am able to run these commands), like
/bin/ls [ BAD ]
/bin/ps [ BAD ]
/sbin/ifconfig [ BAD ]
/usr/bin/pstree [ BAD ]
and it also gave:
Rootkit 'SHV5 [ Warning! ]
Can you please help me in getting out of this problem? Is there a way by which I can fix up these commands instead of doing a reinstall?
Last edited by weblink_dipti; 06-23-2007 at 02:41 AM.
You do not seem to understand the advice you are being given.
Somebody has hacked into your computer. They "own" it. Your computer is probably spewing spam and pron and money-laundering all over the internet. You are in big trouble. Even if your computer appears to be working normally, it is not.
You must disconnect it from the internet NOW (or do you want to find the police knocking at your door?).
Rescue only your data files. No configuration files at all. No program files at all.
Reinstall from the beginning. And harden your security.
Agreed that a full system wipe and reinstall as suggested by tredegar is the only solution for your problem. You should read this thread in the security forum for a lot of links to security resources. I also suggest the CERT guide for responding to intrusions.
Please take this seriously -- your computer can be used by the attacker as a spam/malware bot or used to break into other systems. Please disconnect it and do a safe reinstall immediately.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.