GP1628
asked on
Solaris installpatch says "basename not found"
Or more specifically it says
./installpatch[199]: basename: not found
the version of solaris is SonOS Release 5.5.1
the machine is a Sparc2
the patch is to fix a hole before I boot the little hackers off the machine.
./installpatch[199]: basename: not found
the version of solaris is SonOS Release 5.5.1
the machine is a Sparc2
the patch is to fix a hole before I boot the little hackers off the machine.
ASKER
hmmm good thought.
But no, I just did a
head -200 installpatch
and none of the lines at the end used basename.
I suppose I could try and figure out what each of the basename commands is trying to get and edit the lines to an exact path.
I will probably try that if no one comes up with anything.
Gandalf
But no, I just did a
head -200 installpatch
and none of the lines at the end used basename.
I suppose I could try and figure out what each of the basename commands is trying to get and edit the lines to an exact path.
I will probably try that if no one comes up with anything.
Gandalf
If installpatch calls or dots in other shell scripts that could confuse the line numbering and makes it more difficult to trace which line is failing.
My second point was that installpatch is not finding the 'basename' command. I expect it would normally be in /usr/bin (or there may be a link in /usr/bin to where it really is). Try 'which basename' find out where it is & make sure installpatch can pick it up.
Please, somebody else answer Gandalf's question, quickly... I'm trying to debug a script I can't see on a system that may have been hacked, just from memory of Solaris =:O
My second point was that installpatch is not finding the 'basename' command. I expect it would normally be in /usr/bin (or there may be a link in /usr/bin to where it really is). Try 'which basename' find out where it is & make sure installpatch can pick it up.
Please, somebody else answer Gandalf's question, quickly... I'm trying to debug a script I can't see on a system that may have been hacked, just from memory of Solaris =:O
ASKER
wow, sounds rough.
OK I found it. I knew that the little hackers had trashed /bin/sh (strange thing to do, seems a sloppy way of keeping root from logging in)
I had checked installpatch and saw that it was ksh so I figured I was safe. Didnt realize that basename was a /bin/sh script. :)
So far all of these have been fine by just chnging sh to ksh. I have to remember to change them back later.
Thanks.
Gandalf
OK I found it. I knew that the little hackers had trashed /bin/sh (strange thing to do, seems a sloppy way of keeping root from logging in)
I had checked installpatch and saw that it was ksh so I figured I was safe. Didnt realize that basename was a /bin/sh script. :)
So far all of these have been fine by just chnging sh to ksh. I have to remember to change them back later.
Thanks.
Gandalf
Nice one - Now you just have to figure out how to give yourself the points :)
Maybe I should ask you a Q about stopping hackers...
Maybe I should ask you a Q about stopping hackers...
ASKER
wow, sounds rough.
OK I found it. I knew that the little hackers had trashed /bin/sh (strange thing to do, seems a sloppy way of keeping root from logging in)
I had checked installpatch and saw that it was ksh so I figured I was safe. Didnt realize that basename was a /bin/sh script. :)
So far all of these have been fine by just chnging sh to ksh. I have to remember to change them back later.
Thanks.
Gandalf
OK I found it. I knew that the little hackers had trashed /bin/sh (strange thing to do, seems a sloppy way of keeping root from logging in)
I had checked installpatch and saw that it was ksh so I figured I was safe. Didnt realize that basename was a /bin/sh script. :)
So far all of these have been fine by just chnging sh to ksh. I have to remember to change them back later.
Thanks.
Gandalf
ASKER
oops didnt mean to do that.
> Nice one - Now you just have to figure out how to > give yourself the points :)
> Maybe I should ask you a Q about stopping > hackers...
I was wondering that myself. Not so much the points but to kill the thread. It will only let me post a comment, ot an answer to myself. :)
Gandalf
> Nice one - Now you just have to figure out how to > give yourself the points :)
> Maybe I should ask you a Q about stopping > hackers...
I was wondering that myself. Not so much the points but to kill the thread. It will only let me post a comment, ot an answer to myself. :)
Gandalf
I think you can delete a Q if no-one has proposed an answer, or get Customer Services to do it for you.
Alternatively, you could accept one of my comments as an answer :)
Best wishes anyway
Tim
Alternatively, you could accept one of my comments as an answer :)
Best wishes anyway
Tim
GP1628,
I think, it you are sure that the machine is hacked, and you wouldn't sure that is damaged, you got to sit back and evaluate, is it worth to dig into the problem, examining each and every possibilities of the damage done. Or you could back up all of the things that you want to save (data), and reinstall from scratch.
The bad thing about reinstalling is that, you will miss the fun, and experience in getting to know how the hacker gets into your machine.
Just my $0.01 comments,
Samri
I think, it you are sure that the machine is hacked, and you wouldn't sure that is damaged, you got to sit back and evaluate, is it worth to dig into the problem, examining each and every possibilities of the damage done. Or you could back up all of the things that you want to save (data), and reinstall from scratch.
The bad thing about reinstalling is that, you will miss the fun, and experience in getting to know how the hacker gets into your machine.
Just my $0.01 comments,
Samri
How are you getting on against the little #@ckers?
ASKER
Nahh Im having fun with them.
I trace them back to their own machine, log in there, and download files. This one came off of a windows machine. I downloaded win.ini, system.ini, some intresting logs of IRC conversations where they traded sites like they were trading cards, and finally a list which seems to be a list of their shell sites.
Im scanning them now for some RL names and info I can use.
This isnt the best crew Ive snooped on. The last bunch was much better at hiding themselves in the machine but they did finally cut a deal of "we will stay out of yours if you stop logging into ours"
Right now I have mass patches running on the machines in that network. Then I will use the logins and passwords tht they created to get back into the box and remove them from it.
gandalf@community.net
I trace them back to their own machine, log in there, and download files. This one came off of a windows machine. I downloaded win.ini, system.ini, some intresting logs of IRC conversations where they traded sites like they were trading cards, and finally a list which seems to be a list of their shell sites.
Im scanning them now for some RL names and info I can use.
This isnt the best crew Ive snooped on. The last bunch was much better at hiding themselves in the machine but they did finally cut a deal of "we will stay out of yours if you stop logging into ours"
Right now I have mass patches running on the machines in that network. Then I will use the logins and passwords tht they created to get back into the box and remove them from it.
gandalf@community.net
Uhh..Nice to see you giving them some of their own medicine, but remind me NEVER to upset you.
Re; having found that /bin/sh was trashed and GP1628's comments about the points... You're probably not as hosed out regarding basename as you'd think. Link or copy /sbin/sh to /bin/sh. Solaris keeps a staticly linked copy for root's use so you can have a shell in single user mode when there are problems with using dynamic libraries. Which in turn is a good thing to remember when comtemplating a change in root's shell... Thus avoiding one of the prime causes of the "Dreaded root shell disease".
Maybe I should get the points now...
Maybe I should get the points now...
ASKER
oh sorry. in reading back I see that I didnt mention. That was what I did. link the /sbin/sh to the bin/sh that everything was looking for. Saved me alot of work. THe patches all installed nicely.
Now Im just debating whether to boot the little #*@&ers now or continue messing with them and gathering data.
Gandalf
Now Im just debating whether to boot the little #*@&ers now or continue messing with them and gathering data.
Gandalf
Have you read "The Cuckoos egg" by Clifford Stoll (ISBN 0 330 31742 3)? Your experience sounds very similar. Basically, he found & tracked down some hackers and eventually got them prosecuted. The problem was the time it took to collect evidence & get action from the authorities - probably why most people don't bother, so the #@ckers get away with it.
Alternatively, look at The Avengers handbook http://www.ekran.no/html/revenge for some ideas on messing with deserving peoples minds >:->
Alternatively, look at The Avengers handbook http://www.ekran.no/html/revenge for some ideas on messing with deserving peoples minds >:->
ASKER
Well its been informative as long as they are on a machine that isnt mission critical anyway. Whats fun is using their own tools, like a sniffer the last group left, against them.
Apparently the game goes like this. They break in and look for something they can use. Then they install programs overwriting ps, ls, netstat, login, passwd, find, etc. They are designed to not show their special logins logging in, not show certain processes being run, and not allow you to change their stuff.
If you run shadow passwd files then
grep -v :x: /etc/passwd
tail /etc/shadow
any unix system
find /dev/* | grep -i asci
ls -blart /etc
ls -blart /usr/bin (or where those commands are)
if you find anything interesting, ask me about it.
gandalf@community.net
Apparently the game goes like this. They break in and look for something they can use. Then they install programs overwriting ps, ls, netstat, login, passwd, find, etc. They are designed to not show their special logins logging in, not show certain processes being run, and not allow you to change their stuff.
If you run shadow passwd files then
grep -v :x: /etc/passwd
tail /etc/shadow
any unix system
find /dev/* | grep -i asci
ls -blart /etc
ls -blart /usr/bin (or where those commands are)
if you find anything interesting, ask me about it.
gandalf@community.net
ASKER
Well its been informative as long as they are on a machine that isnt mission critical anyway. Whats fun is using their own tools, like a sniffer the last group left, against them.
Apparently the game goes like this. They break in and look for something they can use. Then they install programs overwriting ps, ls, netstat, login, passwd, find, etc. They are designed to not show their special logins logging in, not show certain processes being run, and not allow you to change their stuff.
If you run shadow passwd files then
grep -v :x: /etc/passwd
tail /etc/shadow
any unix system
find /dev/* | grep -i asci
ls -blart /etc
ls -blart /usr/bin (or where those commands are)
if you find anything interesting, ask me about it.
gandalf@community.net
Apparently the game goes like this. They break in and look for something they can use. Then they install programs overwriting ps, ls, netstat, login, passwd, find, etc. They are designed to not show their special logins logging in, not show certain processes being run, and not allow you to change their stuff.
If you run shadow passwd files then
grep -v :x: /etc/passwd
tail /etc/shadow
any unix system
find /dev/* | grep -i asci
ls -blart /etc
ls -blart /usr/bin (or where those commands are)
if you find anything interesting, ask me about it.
gandalf@community.net
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If Unix can't find the 'basename'command, someone has seriously screwed up your path and/or standard commands [Unless installpatch uses an absolute pathname or resets the standard paths].
Hope this helps