[K12OSN] bin files change on reboot
James P. Kinney III
jkinney at localnetsolutions.com
Mon Feb 18 00:31:31 UTC 2008
On Sun, 2008-02-17 at 23:39 +0100, Nils Breunese wrote:
> Ryan Collins wrote:
> > You need to reformat and re-install, it's the only way to be sure.
> > If has been hacked, it's probably doing all sorts of nasty suff on
> > the Internet.
Get that box off line instantly. It the user won't do it and you are
responsible for it, turn off networking and change root password. Linux
machines are incredibly powerful systems and one hack job can result in
an indescribable amount of mayhem elsewhere.
Since the machine is using rpm packages, you can find the trojaned
binaries by running "rpm -VA" and then the compromised binaries are the
files with the changed MD5 sum fields in the output. Read "man rpm" for
details in the verify section.
Even if you find the bad binaries, you will likely NOT solve the problem
by fixing them.
This is where good admin skills (have /home on a separate partition are
essential) will keep your people from wanting to strangle you because
the ONLY WAY TO CLEAN THIS UP IS TO ERASE THE DRIVE.
Sorry for the shouting. I spent several weeks meticulously chasing and
cleaning a machine that was compromised only to have it instantly
re-compromised when finally put back online (with upgraded plugged-holes
binaries) because there was a hidden file buried that I missed (/dev/
or something similar) that reloaded the bad stuff once the system was
> I think it's already somewhat irresponsible to put a machine online
> that runs an EOL'd OS, but if you *know* it's been hacked then you
> really need to reinstall this one. I can recommend K12LTSP 5EL.
> Nils Breunese.
> > On 2/17/08, Barry Cisna <brcisna at eazylivin.net> wrote:
> >> Hello List,
> >> This is kind of a weird scenario. On an FC5 K12ltsp server I set up
> >> at
> >> some peoples house over a year ago. I know this server has been
> >> hacked
> >> into some time back as I can see by the rkhunter logs for some
> >> time. I
> >> view it from time to time remotely via Webmin. What happens on this
> >> server
> >> is each time it gets rebooted ( which is not very often) other than
> >> over
> >> this weekend due to ice storm/power outage here), there are a few bin
> >> files that end up being the wrong date/and the wrong file sizes. Most
> >> everything still works OK other than lots of behind the scenes
> >> things,
> >> such as if I simply do a 'uname -a ' I get segmentation fault and
> >> if i try
> >> to use the zip program i get errors. I took and copyed from a good
> >> FC5
> >> server the bin files and placed onto this particular server,so when
> >> this
> >> happens I explained to them how to copy paste the good bin/files
> >> into the
> >> /bin folder each time they end up having to reboot this server.
> >> Once the
> >> correct bin files are copyed into the bin folder then there are no
> >> more
> >> segmentation faults and the zip program functions correctly,etc.I
> >> still
> >> have not figured out "were" these files come from each time this
> >> server is
> >> rebooted? This server runs rock solid and they really don't need to
> >> update
> >> to anything newer as they just use it to web browse and email thing.
> >> BTW; i did delete a couple diretories that had been added with some
> >> sort
> >> of system scanner files to ftp out to a remote server some time back
> >> ,thinking this may have been the resolve for this. No Joy:(.
> >> Anyone have any ideas were to look?
> >> Thanks,
> >> Barry Cisna
> K12OSN mailing list
> K12OSN at redhat.com
> For more info see <http://www.k12os.org>
James P. Kinney III
CEO & Director of Engineering
Local Net Solutions,LLC
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the K12OSN