userdrake disappears?

Userdrake is a "consolehelperified" executable.
It "lives" as a symlink in /usr/bin, and it should look somewhat like this (this is from a Mdk8.1 system):
# ls -l /usr/bin/userdrake
lrwxrwxrwx    1 root     root           27 mar 12 2002 /usr/bin/userdrake -> ../../usr/bin/consolehelper*

What program to exec is controlled by
# less -e /etc/security/console.apps/userdrake
USER=root
PROGRAM=/usr/sbin/userdrake.real
SESSION=true
FALLBACK=true

Go check there first.
You can also save a copy of all files of the userdrake rpm package (well, the relevant ones;-), and the perform a reinstall of it.
List files:
rpm -ql userdrake
Reinstall:
rpm -Uvh <package path/filename>
or
rpm --force -Uvh <package path/filename>

Then simply compare the files. Text files with diff, binaries with cmp.

-- Glenn

chek userdrake.real and if it looks like a java script rename it to userdrake

or if ur too lasy just rename it and if it doesn't work then go too http://www.altlinux.com/index.php?module=sisyphus&package=userdrake and download it from there

My guess is that _someone_ has been having fun with your "colsolehelper config files". If so, you should treat the system as suspect (if it isn't a local (up-beatable:-) culprit... well, perhaps even then).
Remove it to a closed test environment, and study what services it has running (processes on the system, ports visibly open via nmap or similar tool).
Eventually it might need a reinstall. Be sure to save any precious data first;-).

-- Glenn

Renaming /usr/sbin/userdrake would only further break the consolehelper system CrashOverride, so is no solution. You would have to remove the symlink in /usr/bin/ to remove userdrake from it.
Still not the way to go.
The system is slightly suspect and should be treated as such, until it's state can be more fully determined.

-- Glenn

Hmmmm.. i did the less on the /etc/security/console.apps/userdrake, and got the same output you put. however, if i less /usr/bin/userdrake (which is just a symlink to consolehelper), i get some output which seems to indicate someone just cut the normal stuff and pasted the halt/shutdown/reboot file(s).

ex:
QVh@
$gE#
[^_]
[^_]
@(#)halt  2.74  24-Feb-1998 miquels@cistron.nl
usage: %s [-n] [-w] [-d] [-f] [-i] [-p]
WARNING: could not determine runlevel - doing soft %s
  (it's better to use shutdown instead of %s from the command line)
%s: must be superuser.
reboot
poweroff

so, is the only surefire way to counter the intruder to reinstall from scratch (i'm fairly certain it's a remote), or would I be roughly as safe just reinstalling all my services?

Do the
ls -l /usr/bin/userdrake

It should be (as shown above) a symlink to consolehelper...

Now, perhaps your consolehelper has been replaced...
# ls -l /usr/bin/consolehelper
-rwxr-xr-x    1 root     root        20616 sep 17  2001 /usr/bin/consolehelper*

is what is expected. In your case the size might be closer to
ls -l /sbin/halt
-rwxr-xr-x    1 root     root         7896 aug 22  2001 /sbin/halt*

because that is what your excerpt from less is showing.
It might have been symlinked to /sbin/halt...

Do
mv /usr/bin/consolehelper /usr/bin/consolehelper.suspect
then reinstall the package
rpm --force -Uvh /path/to/usermode*.rpm

You can see in /etc/security/console.apps all the packages that might lead to a system halt... not good.

This also means that you either have a very malicious prakster at your site, or you have been hacked by someone ... evil:-).

-- Glenn

Alright, thanks, gns. This should be fun..

I'm not sure I'd call it _fun_, but perhaps ... instructive:-):-).

Next time around, do try to keep it as up2date as possible, tight down any unecessary services and implement some sort of IDS... snort might be good.

-- Glenn

Well, I did subscribe to the MDKSA list and a few others, and updated as quickly as I could... and since I had some issues trying to install the free version of tripwire, I kinda just decided i wouldn't need it.. live 'n learn.

Thanks for the tips, though, great site & all.