Pahalial
asked on
userdrake disappears?
I was just doing normal stuff then wondered whether i'd deleted an old account yet. so i su and try to launch userdrake from console.. instead it simply execs halt. So i went to check /usr/sbin and i didnt see userdrake, just userdrake.real - which was, yes, the real one. so what happened to regular userdrake and why did halt get called? if it's some kind of intrusion, is there some way I can check some files?
chek userdrake.real and if it looks like a java script rename it to userdrake
or if ur too lasy just rename it and if it doesn't work then go too http://www.altlinux.com/index.php?module=sisyphus&package=userdrake and download it from there
or if ur too lasy just rename it and if it doesn't work then go too http://www.altlinux.com/index.php?module=sisyphus&package=userdrake and download it from there
My guess is that _someone_ has been having fun with your "colsolehelper config files". If so, you should treat the system as suspect (if it isn't a local (up-beatable:-) culprit... well, perhaps even then).
Remove it to a closed test environment, and study what services it has running (processes on the system, ports visibly open via nmap or similar tool).
Eventually it might need a reinstall. Be sure to save any precious data first;-).
-- Glenn
Remove it to a closed test environment, and study what services it has running (processes on the system, ports visibly open via nmap or similar tool).
Eventually it might need a reinstall. Be sure to save any precious data first;-).
-- Glenn
Renaming /usr/sbin/userdrake would only further break the consolehelper system CrashOverride, so is no solution. You would have to remove the symlink in /usr/bin/ to remove userdrake from it.
Still not the way to go.
The system is slightly suspect and should be treated as such, until it's state can be more fully determined.
-- Glenn
Still not the way to go.
The system is slightly suspect and should be treated as such, until it's state can be more fully determined.
-- Glenn
ASKER
Hmmmm.. i did the less on the /etc/security/console.apps /userdrake , and got the same output you put. however, if i less /usr/bin/userdrake (which is just a symlink to consolehelper), i get some output which seems to indicate someone just cut the normal stuff and pasted the halt/shutdown/reboot file(s).
ex:
QVh@
$gE#
[^_]
[^_]
@(#)halt 2.74 24-Feb-1998 miquels@cistron.nl
usage: %s [-n] [-w] [-d] [-f] [-i] [-p]
WARNING: could not determine runlevel - doing soft %s
(it's better to use shutdown instead of %s from the command line)
%s: must be superuser.
reboot
poweroff
so, is the only surefire way to counter the intruder to reinstall from scratch (i'm fairly certain it's a remote), or would I be roughly as safe just reinstalling all my services?
ex:
QVh@
$gE#
[^_]
[^_]
@(#)halt 2.74 24-Feb-1998 miquels@cistron.nl
usage: %s [-n] [-w] [-d] [-f] [-i] [-p]
WARNING: could not determine runlevel - doing soft %s
(it's better to use shutdown instead of %s from the command line)
%s: must be superuser.
reboot
poweroff
so, is the only surefire way to counter the intruder to reinstall from scratch (i'm fairly certain it's a remote), or would I be roughly as safe just reinstalling all my services?
Do the
ls -l /usr/bin/userdrake
It should be (as shown above) a symlink to consolehelper...
Now, perhaps your consolehelper has been replaced...
# ls -l /usr/bin/consolehelper
-rwxr-xr-x 1 root root 20616 sep 17 2001 /usr/bin/consolehelper*
is what is expected. In your case the size might be closer to
ls -l /sbin/halt
-rwxr-xr-x 1 root root 7896 aug 22 2001 /sbin/halt*
because that is what your excerpt from less is showing.
It might have been symlinked to /sbin/halt...
Do
mv /usr/bin/consolehelper /usr/bin/consolehelper.sus pect
then reinstall the package
rpm --force -Uvh /path/to/usermode*.rpm
You can see in /etc/security/console.apps all the packages that might lead to a system halt... not good.
This also means that you either have a very malicious prakster at your site, or you have been hacked by someone ... evil:-).
-- Glenn
ls -l /usr/bin/userdrake
It should be (as shown above) a symlink to consolehelper...
Now, perhaps your consolehelper has been replaced...
# ls -l /usr/bin/consolehelper
-rwxr-xr-x 1 root root 20616 sep 17 2001 /usr/bin/consolehelper*
is what is expected. In your case the size might be closer to
ls -l /sbin/halt
-rwxr-xr-x 1 root root 7896 aug 22 2001 /sbin/halt*
because that is what your excerpt from less is showing.
It might have been symlinked to /sbin/halt...
Do
mv /usr/bin/consolehelper /usr/bin/consolehelper.sus
then reinstall the package
rpm --force -Uvh /path/to/usermode*.rpm
You can see in /etc/security/console.apps
This also means that you either have a very malicious prakster at your site, or you have been hacked by someone ... evil:-).
-- Glenn
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Alright, thanks, gns. This should be fun..
I'm not sure I'd call it _fun_, but perhaps ... instructive:-):-).
Next time around, do try to keep it as up2date as possible, tight down any unecessary services and implement some sort of IDS... snort might be good.
-- Glenn
Next time around, do try to keep it as up2date as possible, tight down any unecessary services and implement some sort of IDS... snort might be good.
-- Glenn
ASKER
Well, I did subscribe to the MDKSA list and a few others, and updated as quickly as I could... and since I had some issues trying to install the free version of tripwire, I kinda just decided i wouldn't need it.. live 'n learn.
Thanks for the tips, though, great site & all.
Thanks for the tips, though, great site & all.
It "lives" as a symlink in /usr/bin, and it should look somewhat like this (this is from a Mdk8.1 system):
# ls -l /usr/bin/userdrake
lrwxrwxrwx 1 root root 27 mar 12 2002 /usr/bin/userdrake -> ../../usr/bin/consolehelpe
What program to exec is controlled by
# less -e /etc/security/console.apps
USER=root
PROGRAM=/usr/sbin/userdrak
SESSION=true
FALLBACK=true
Go check there first.
You can also save a copy of all files of the userdrake rpm package (well, the relevant ones;-), and the perform a reinstall of it.
List files:
rpm -ql userdrake
Reinstall:
rpm -Uvh <package path/filename>
or
rpm --force -Uvh <package path/filename>
Then simply compare the files. Text files with diff, binaries with cmp.
-- Glenn