Hi,
i have a bug when trying to install almost everything, if instalation needs to do something in /usr/sbin folder it gves errors
SSH
yum install pptp
Running Transaction
Installing : pptp 1/1
Error unpacking rpm package pptp-1.7.2-8.1.el5.rf.x86_64
warning: /etc/ppp/options.pptp created as /etc/ppp/options.pptp.rpmnew
error: unpacking of archive failed on file /usr/sbin/pptp;4f8c7651: cpio: open
Failed:
pptp.x86_64 0:1.7.2-8.1.el5.rf
Complete!
[root@localhost pptp]# rpm -ivh pptp-1.7.1-3.x86_64.rpm
warning: pptp-1.7.1-3.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 862acc42
Preparing... ########################################### [100%]
1:pptp warning: /etc/ppp/options.pptp created as /etc/ppp/options.pptp.rpmnew
########################################### [100%]
error: unpacking of archive failed on file /usr/sbin/pptp;4f8c7804: cpio: open failed - Permission denied
on folder /usr/sbin with coman lsattr i get
[root@localhost usr]# lsattr -d /usr/sbin
suS-iadAc-I-- /usr/sbin
[root@localhost usr]#
if i try to run chattr i get
[root@localhost usr]# chattr -R -suSiadAc /usr/sbin
Killed
[root@localhost usr]#
this with KILLED i cant find anywher
did someone have this error
i have more then one machine, only in this machine i have this error and only difference in it is that this machine has suS-iadAc-I-- /usr/sbin in rights and other machines have nothing of this
also in /usr/sbin i have file .chattr on another machines there is no such file, i cannot delete it or anything
file chattr
thx
[url=http://www.2shared.com/file/e1qOK3-4/chattr-sbin.html]chattr[/url]
Install in /usr/sbin errors
-
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
Install in /usr/sbin errors
If you did not change the attributes of /usr/sbin to be immutable and create the file you may have a serious security issue. Taking the system off-line and checking with chkrootkit or other tools is recommended.
Normal attributes are:
[code]# lsattr -d /usr/sbin
----------I--e- /usr/sbin
[/code]
Try a google on [url=https://www.google.com/search?q=%22%2Fusr%2Fsbin%22+immutable+security+~hacked&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=firefox-a]"/usr/sbin" immutable security ~hacked[/url]. Moving the thread to the Security forum.
Normal attributes are:
[code]# lsattr -d /usr/sbin
----------I--e- /usr/sbin
[/code]
Try a google on [url=https://www.google.com/search?q=%22%2Fusr%2Fsbin%22+immutable+security+~hacked&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=firefox-a]"/usr/sbin" immutable security ~hacked[/url]. Moving the thread to the Security forum.
Re: Install in /usr/sbin errors
Hi thx for answer
is ther any way i can change file atributes in this sbin folder, problem is beacouse the server is in remote location and i dont have time to go there right now, if the server would be witjh me i wolud reinstalled it and restore asterisk from backup.
Thx.
is ther any way i can change file atributes in this sbin folder, problem is beacouse the server is in remote location and i dont have time to go there right now, if the server would be witjh me i wolud reinstalled it and restore asterisk from backup.
Thx.
-
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
Re: Install in /usr/sbin errors
If chattr is killed I know of no other way to change attributes. This server can not be trusted and may well be acting as a vector for attacking others. It should not be on-line.
Re: Install in /usr/sbin errors
ok now i have find what is it
[root@localhost bin]# lsattr -d chattr
su--ia------- chattr
[root@localhost bin]# lsattr -d chattr
su--ia------- chattr
[root@localhost bin]# chattr -i ghattr
Killed
so it is beacouse command chattr is locked
i need new file chattr does anyone have this file so i can download it and try change file atributes by runing this command ????
please help
[root@localhost bin]# lsattr -d chattr
su--ia------- chattr
[root@localhost bin]# lsattr -d chattr
su--ia------- chattr
[root@localhost bin]# chattr -i ghattr
Killed
so it is beacouse command chattr is locked
i need new file chattr does anyone have this file so i can download it and try change file atributes by runing this command ????
please help
Re: Install in /usr/sbin errors
ok i have some part of this set up
i installed new machine only to copy chattr file to my desktop rename it and upload it to infected machine
after that
[root@localhost usr]# lsattr -d sbin
suS-iadAc-I-- sbin
[root@localhost usr]# chattr -i sbin
Killed
[root@localhost usr]# chattr_my_file -i sbin
[root@localhost usr]# lsattr -d sbin
suS--adAc-I-- sbin
[root@localhost usr]# chattr_my_file -suSadAc sbin
[root@localhost usr]# lsattr -d sbin
----------I-- sbin
[root@localhost usr]# lsattr -d sbin
----------I-- sbin
also i have renamed old infected chattr file so it cant be used in it i have found this e mail address
mail -s 'rk attempt to remove' xqw019@gmail.com
so this e mail address is doing something if i try to run chattr command
how can i see if this server is acting as a spam dealer or something
runuser-l:
Unknown Entries:
session closed for user cyrus: 13 Time(s)
session opened for user cyrus by (uid=0): 13 Time(s)
sshd:
Authentication Failures:
root (ocs-golf1.com): 136 Time(s)
unknown (ocs-golf1.com): 11 Time(s)
root (211.147.3.19): 1 Time(s)
Invalid Users:
Unknown Account: 11 Time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ftpsupport : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gastuser : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tempuser : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gasttest : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user testusertest : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tect : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user guestftp : 1 time(s)
and bounch of this messages
i have also sucsesfuly installed pptp :D
i installed new machine only to copy chattr file to my desktop rename it and upload it to infected machine
after that
[root@localhost usr]# lsattr -d sbin
suS-iadAc-I-- sbin
[root@localhost usr]# chattr -i sbin
Killed
[root@localhost usr]# chattr_my_file -i sbin
[root@localhost usr]# lsattr -d sbin
suS--adAc-I-- sbin
[root@localhost usr]# chattr_my_file -suSadAc sbin
[root@localhost usr]# lsattr -d sbin
----------I-- sbin
[root@localhost usr]# lsattr -d sbin
----------I-- sbin
also i have renamed old infected chattr file so it cant be used in it i have found this e mail address
mail -s 'rk attempt to remove' xqw019@gmail.com
so this e mail address is doing something if i try to run chattr command
how can i see if this server is acting as a spam dealer or something
runuser-l:
Unknown Entries:
session closed for user cyrus: 13 Time(s)
session opened for user cyrus by (uid=0): 13 Time(s)
sshd:
Authentication Failures:
root (ocs-golf1.com): 136 Time(s)
unknown (ocs-golf1.com): 11 Time(s)
root (211.147.3.19): 1 Time(s)
Invalid Users:
Unknown Account: 11 Time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ftpsupport : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gastuser : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tempuser : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gasttest : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user testusertest : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tect : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user guestftp : 1 time(s)
and bounch of this messages
i have also sucsesfuly installed pptp :D
-
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
Re: Install in /usr/sbin errors
Once more you should not attempt to use the compromised system. Back up data and user files, do a fresh install, and carefully and selectively restore only necessary files. Trying to recover the infected system can never be guaranteed, and constitutes a serious security risk. The gmail account should be reported to Google as being associated with a rootkit.