Install in /usr/sbin errors

[Tola]

Hi,
i have a bug when trying to install almost everything, if instalation needs to do something in /usr/sbin folder it gves errors
SSH
yum install pptp

Running Transaction
Installing : pptp 1/1
Error unpacking rpm package pptp-1.7.2-8.1.el5.rf.x86_64
warning: /etc/ppp/options.pptp created as /etc/ppp/options.pptp.rpmnew
error: unpacking of archive failed on file /usr/sbin/pptp;4f8c7651: cpio: open

Failed:
pptp.x86_64 0:1.7.2-8.1.el5.rf

Complete!

[root@localhost pptp]# rpm -ivh pptp-1.7.1-3.x86_64.rpm
warning: pptp-1.7.1-3.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 862acc42
Preparing... ########################################### [100%]
1:pptp warning: /etc/ppp/options.pptp created as /etc/ppp/options.pptp.rpmnew
########################################### [100%]
error: unpacking of archive failed on file /usr/sbin/pptp;4f8c7804: cpio: open failed - Permission denied

on folder /usr/sbin with coman lsattr i get

[root@localhost usr]# lsattr -d /usr/sbin
suS-iadAc-I-- /usr/sbin
[root@localhost usr]#

if i try to run chattr i get
[root@localhost usr]# chattr -R -suSiadAc /usr/sbin
Killed
[root@localhost usr]#

this with KILLED i cant find anywher

did someone have this error

i have more then one machine, only in this machine i have this error and only difference in it is that this machine has suS-iadAc-I-- /usr/sbin in rights and other machines have nothing of this

also in /usr/sbin i have file .chattr on another machines there is no such file, i cannot delete it or anything

file chattr

thx




[url=http://www.2shared.com/file/e1qOK3-4/chattr-sbin.html]chattr[/url]

[pschaff]

If you did not change the attributes of /usr/sbin to be immutable and create the file you may have a serious security issue. Taking the system off-line and checking with chkrootkit or other tools is recommended.

Normal attributes are:
[code]# lsattr -d /usr/sbin
----------I--e- /usr/sbin
[/code]

Try a google on [url=https://www.google.com/search?q=%22%2Fusr%2Fsbin%22+immutable+security+~hacked&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=firefox-a]"/usr/sbin" immutable security ~hacked[/url]. Moving the thread to the Security forum.

[Tola]

Hi thx for answer

is ther any way i can change file atributes in this sbin folder, problem is beacouse the server is in remote location and i dont have time to go there right now, if the server would be witjh me i wolud reinstalled it and restore asterisk from backup.

Thx.

[pschaff]

If chattr is killed I know of no other way to change attributes. This server can not be trusted and may well be acting as a vector for attacking others. It should not be on-line.

[Tola]

ok now i have find what is it

[root@localhost bin]# lsattr -d chattr
su--ia------- chattr
[root@localhost bin]# lsattr -d chattr
su--ia------- chattr
[root@localhost bin]# chattr -i ghattr
Killed

so it is beacouse command chattr is locked

i need new file chattr does anyone have this file so i can download it and try change file atributes by runing this command ????

please help

[Tola]

ok i have some part of this set up


i installed new machine only to copy chattr file to my desktop rename it and upload it to infected machine

after that
[root@localhost usr]# lsattr -d sbin
suS-iadAc-I-- sbin
[root@localhost usr]# chattr -i sbin
Killed
[root@localhost usr]# chattr_my_file -i sbin
[root@localhost usr]# lsattr -d sbin
suS--adAc-I-- sbin
[root@localhost usr]# chattr_my_file -suSadAc sbin
[root@localhost usr]# lsattr -d sbin
----------I-- sbin
[root@localhost usr]# lsattr -d sbin
----------I-- sbin

also i have renamed old infected chattr file so it cant be used in it i have found this e mail address
mail -s 'rk attempt to remove' xqw019@gmail.com
so this e mail address is doing something if i try to run chattr command

how can i see if this server is acting as a spam dealer or something

runuser-l:
Unknown Entries:
session closed for user cyrus: 13 Time(s)
session opened for user cyrus by (uid=0): 13 Time(s)

sshd:
Authentication Failures:
root (ocs-golf1.com): 136 Time(s)
unknown (ocs-golf1.com): 11 Time(s)
root (211.147.3.19): 1 Time(s)
Invalid Users:
Unknown Account: 11 Time(s)


pam_succeed_if(sshd:auth): error retrieving information about user ftpsupport : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gastuser : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tempuser : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gasttest : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user testusertest : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tect : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user guestftp : 1 time(s)


and bounch of this messages

i have also sucsesfuly installed pptp :D

[pschaff]

Once more you should not attempt to use the compromised system. Back up data and user files, do a fresh install, and carefully and selectively restore only necessary files. Trying to recover the infected system can never be guaranteed, and constitutes a serious security risk. The gmail account should be reported to Google as being associated with a rootkit.