Bernard it sounds like your server may have been root-kitted (hacked
into)
I work with compromised servers on a daily basis and am familiar of the
jinks of all these root kits.
boot your server up in single user mode
enter these commands
rpm -qa|sed "s/^/rpm --verify /g" > /root/verify-rpms
chmod +x /root/verify-rpms
/root/verify-rpms > /root/verify-results
wait for this list to complete
if you see files like /bin/ls, /bin/ps, /bin/login, /etc/pam.d/login,
/etc/pam.d/passwd, /etc/rc.d/rc.sysinit, /dev/*, /etc/services,
/usr/bin/find
showing up in this list then it's very likely you have been hacked into
you can determine which rpm each of these files came from and reinstall
the RPM for them from a secure media (Red Hat 6.2 CDROM) via
rpm -qf /bin/ls #will tell you which rpm it came from
fileutils-4.0-21
rpm -ev --nodeps fileutils #will remove fileutils rpm package
# if you get error saying a file like /bin/ls could not be deleted
# run the command `chattr -ia /bin/ls` or whatever file then remove
# that file by hand `rm -f /bin/ls`
rpm -Uvvh /mnt/cdrom/RedHat/RPMS/fileutils*
and you continue to do this process for all the files
once you did all this run
passwd root
and set a new root password and disable all shell accounts via
passwd -l username
then go up to init 3
init 3
then run
netstat -taupen -ww
look for any unusual process listening to funny ports with funny names
etc.
let me know how this goes
Regards,
Ramiel
> Bernard Mwenda wrote:
>
> Hi guys,
>
> I really need help on this one.
>
> I am using RH. 6.2 on my servers. Suddenly syslogd is not running on
> one of
> the servers. I has tried uninstalling and installing the rpm with no
> success. When I try looking at the running processes using the 'ps'
> command
> I get a "segmentation fault (core dumped)" error. I have tried
> increasing
> the size using "ulimit -c unlimited" but this also does not help.
>
> Any body come across this problem before? how did you fix it?
>
> Bernard Mwenda,
> Systems Administrator,
> LCR Telecom (K) Ltd,
> [EMAIL PROTECTED]
_______________________________________________
Redhat-devel-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-devel-list
