userdrake disappears?

Posted on 2003-03-10
Medium Priority
Last Modified: 2013-11-13
I was just doing normal stuff then wondered whether i'd deleted an old account yet. so i su and try to launch userdrake from console.. instead it simply execs halt. So i went to check /usr/sbin and i didnt see userdrake, just userdrake.real - which was, yes, the real one. so what happened to regular userdrake and why did halt get called? if it's some kind of intrusion, is there some way I can check some files?
Question by:Pahalial
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
LVL 20

Expert Comment

ID: 8104285
Userdrake is a "consolehelperified" executable.
It "lives" as a symlink in /usr/bin, and it should look somewhat like this (this is from a Mdk8.1 system):
# ls -l /usr/bin/userdrake
lrwxrwxrwx    1 root     root           27 mar 12 2002 /usr/bin/userdrake -> ../../usr/bin/consolehelper*

What program to exec is controlled by
# less -e /etc/security/console.apps/userdrake

Go check there first.
You can also save a copy of all files of the userdrake rpm package (well, the relevant ones;-), and the perform a reinstall of it.
List files:
rpm -ql userdrake
rpm -Uvh <package path/filename>
rpm --force -Uvh <package path/filename>

Then simply compare the files. Text files with diff, binaries with cmp.

-- Glenn

Expert Comment

ID: 8104288
chek userdrake.real and if it looks like a java script rename it to userdrake

or if ur too lasy just rename it and if it doesn't work then go too http://www.altlinux.com/index.php?module=sisyphus&package=userdrake and download it from there
LVL 20

Expert Comment

ID: 8104322
My guess is that _someone_ has been having fun with your "colsolehelper config files". If so, you should treat the system as suspect (if it isn't a local (up-beatable:-) culprit... well, perhaps even then).
Remove it to a closed test environment, and study what services it has running (processes on the system, ports visibly open via nmap or similar tool).
Eventually it might need a reinstall. Be sure to save any precious data first;-).

-- Glenn

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 20

Expert Comment

ID: 8104356
Renaming /usr/sbin/userdrake would only further break the consolehelper system CrashOverride, so is no solution. You would have to remove the symlink in /usr/bin/ to remove userdrake from it.
Still not the way to go.
The system is slightly suspect and should be treated as such, until it's state can be more fully determined.

-- Glenn

Author Comment

ID: 8104379
Hmmmm.. i did the less on the /etc/security/console.apps/userdrake, and got the same output you put. however, if i less /usr/bin/userdrake (which is just a symlink to consolehelper), i get some output which seems to indicate someone just cut the normal stuff and pasted the halt/shutdown/reboot file(s).

@(#)halt  2.74  24-Feb-1998 miquels@cistron.nl
usage: %s [-n] [-w] [-d] [-f] [-i] [-p]
WARNING: could not determine runlevel - doing soft %s
  (it's better to use shutdown instead of %s from the command line)
%s: must be superuser.

so, is the only surefire way to counter the intruder to reinstall from scratch (i'm fairly certain it's a remote), or would I be roughly as safe just reinstalling all my services?
LVL 20

Expert Comment

ID: 8104531
Do the
ls -l /usr/bin/userdrake

It should be (as shown above) a symlink to consolehelper...

Now, perhaps your consolehelper has been replaced...
# ls -l /usr/bin/consolehelper
-rwxr-xr-x    1 root     root        20616 sep 17  2001 /usr/bin/consolehelper*

is what is expected. In your case the size might be closer to
ls -l /sbin/halt
-rwxr-xr-x    1 root     root         7896 aug 22  2001 /sbin/halt*

because that is what your excerpt from less is showing.
It might have been symlinked to /sbin/halt...

mv /usr/bin/consolehelper /usr/bin/consolehelper.suspect
then reinstall the package
rpm --force -Uvh /path/to/usermode*.rpm

You can see in /etc/security/console.apps all the packages that might lead to a system halt... not good.

This also means that you either have a very malicious prakster at your site, or you have been hacked by someone ... evil:-).

-- Glenn
LVL 20

Accepted Solution

Gns earned 600 total points
ID: 8104622
Reinstall from scratch.

The work in determining _what else_ has been tampered whith (without an IDS or tripwire-like utility) is to timeconsuming to even contemplate.

Be sure to save any "non-volatile" data, that is rare config examples, textfiles or databases you've spent to much time accumulating;-).

-- Glenn

Author Comment

ID: 8104713
Alright, thanks, gns. This should be fun..
LVL 20

Expert Comment

ID: 8104749
I'm not sure I'd call it _fun_, but perhaps ... instructive:-):-).

Next time around, do try to keep it as up2date as possible, tight down any unecessary services and implement some sort of IDS... snort might be good.

-- Glenn

Author Comment

ID: 8104779
Well, I did subscribe to the MDKSA list and a few others, and updated as quickly as I could... and since I had some issues trying to install the free version of tripwire, I kinda just decided i wouldn't need it.. live 'n learn.

Thanks for the tips, though, great site & all.

Featured Post

Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Create a Windows 10 custom Image with custom task bar and custom start menu using XML for deployment.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses
Course of the Month10 days, 1 hour left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question