• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 242
  • Last Modified:

userdrake disappears?

I was just doing normal stuff then wondered whether i'd deleted an old account yet. so i su and try to launch userdrake from console.. instead it simply execs halt. So i went to check /usr/sbin and i didnt see userdrake, just userdrake.real - which was, yes, the real one. so what happened to regular userdrake and why did halt get called? if it's some kind of intrusion, is there some way I can check some files?
0
Pahalial
Asked:
Pahalial
  • 6
  • 3
1 Solution
 
GnsCommented:
Userdrake is a "consolehelperified" executable.
It "lives" as a symlink in /usr/bin, and it should look somewhat like this (this is from a Mdk8.1 system):
# ls -l /usr/bin/userdrake
lrwxrwxrwx    1 root     root           27 mar 12 2002 /usr/bin/userdrake -> ../../usr/bin/consolehelper*

What program to exec is controlled by
# less -e /etc/security/console.apps/userdrake
USER=root
PROGRAM=/usr/sbin/userdrake.real
SESSION=true
FALLBACK=true

Go check there first.
You can also save a copy of all files of the userdrake rpm package (well, the relevant ones;-), and the perform a reinstall of it.
List files:
rpm -ql userdrake
Reinstall:
rpm -Uvh <package path/filename>
or
rpm --force -Uvh <package path/filename>

Then simply compare the files. Text files with diff, binaries with cmp.

-- Glenn
0
 
-CrashOverride-Commented:
chek userdrake.real and if it looks like a java script rename it to userdrake

or if ur too lasy just rename it and if it doesn't work then go too http://www.altlinux.com/index.php?module=sisyphus&package=userdrake and download it from there
0
 
GnsCommented:
My guess is that _someone_ has been having fun with your "colsolehelper config files". If so, you should treat the system as suspect (if it isn't a local (up-beatable:-) culprit... well, perhaps even then).
Remove it to a closed test environment, and study what services it has running (processes on the system, ports visibly open via nmap or similar tool).
Eventually it might need a reinstall. Be sure to save any precious data first;-).

-- Glenn
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
GnsCommented:
Renaming /usr/sbin/userdrake would only further break the consolehelper system CrashOverride, so is no solution. You would have to remove the symlink in /usr/bin/ to remove userdrake from it.
Still not the way to go.
The system is slightly suspect and should be treated as such, until it's state can be more fully determined.

-- Glenn
0
 
PahalialAuthor Commented:
Hmmmm.. i did the less on the /etc/security/console.apps/userdrake, and got the same output you put. however, if i less /usr/bin/userdrake (which is just a symlink to consolehelper), i get some output which seems to indicate someone just cut the normal stuff and pasted the halt/shutdown/reboot file(s).

ex:
QVh@
$gE#
[^_]
[^_]
@(#)halt  2.74  24-Feb-1998 miquels@cistron.nl
usage: %s [-n] [-w] [-d] [-f] [-i] [-p]
WARNING: could not determine runlevel - doing soft %s
  (it's better to use shutdown instead of %s from the command line)
%s: must be superuser.
reboot
poweroff

so, is the only surefire way to counter the intruder to reinstall from scratch (i'm fairly certain it's a remote), or would I be roughly as safe just reinstalling all my services?
0
 
GnsCommented:
Do the
ls -l /usr/bin/userdrake

It should be (as shown above) a symlink to consolehelper...

Now, perhaps your consolehelper has been replaced...
# ls -l /usr/bin/consolehelper
-rwxr-xr-x    1 root     root        20616 sep 17  2001 /usr/bin/consolehelper*

is what is expected. In your case the size might be closer to
ls -l /sbin/halt
-rwxr-xr-x    1 root     root         7896 aug 22  2001 /sbin/halt*

because that is what your excerpt from less is showing.
It might have been symlinked to /sbin/halt...

Do
mv /usr/bin/consolehelper /usr/bin/consolehelper.suspect
then reinstall the package
rpm --force -Uvh /path/to/usermode*.rpm

You can see in /etc/security/console.apps all the packages that might lead to a system halt... not good.

This also means that you either have a very malicious prakster at your site, or you have been hacked by someone ... evil:-).

-- Glenn
0
 
GnsCommented:
Reinstall from scratch.

The work in determining _what else_ has been tampered whith (without an IDS or tripwire-like utility) is to timeconsuming to even contemplate.

Be sure to save any "non-volatile" data, that is rare config examples, textfiles or databases you've spent to much time accumulating;-).

-- Glenn
0
 
PahalialAuthor Commented:
Alright, thanks, gns. This should be fun..
0
 
GnsCommented:
I'm not sure I'd call it _fun_, but perhaps ... instructive:-):-).

Next time around, do try to keep it as up2date as possible, tight down any unecessary services and implement some sort of IDS... snort might be good.

-- Glenn
0
 
PahalialAuthor Commented:
Well, I did subscribe to the MDKSA list and a few others, and updated as quickly as I could... and since I had some issues trying to install the free version of tripwire, I kinda just decided i wouldn't need it.. live 'n learn.

Thanks for the tips, though, great site & all.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now