[TriLUG] Server DEAD!

auto668 at hush.com auto668 at hush.com
Thu Aug 28 12:18:18 EDT 2003 

Literally.. didn't change anything, noticed the problem stopping iptables,
 rebooted and BAM!  Rootkitted huh? Durn! I kept it up2date, only had
ssh/apache running.  May have to start rebuilding ASAP.

L-

On Thu, 28 Aug 2003 09:10:39 -0700 rasch at raschnet.com wrote:
>On Thu, Aug 28, 2003 at 09:05:07AM -0700, auto668 at hush.com wrote:
>> Serious issue here, I've had a server running for a couple weeks
>doing
>> some production virtual hosting.  All has been running great,
>everything
>> was configured and running fine I haven't done ANYTHING other
>than run
>> uup2date periodically.  Well, today I'm about to do a test on
>the box
>> after installing the Real Media server and here's what happens...
>> 
>> [root at www Helix]# /etc/rc.d/init.d/iptables stop
>> /etc/rc.d/init.d/iptables: line 41: 14950 Done               
>    /sbin/lsmod
>> 2>/dev/null
>>      14951 Segmentation fault      | grep -q ipchains
>> 
>> [root at www Helix]# /etc/rc.d/init.d/iptables restart
>> /etc/rc.d/init.d/iptables: line 41: 14966 Done               
>    /sbin/lsmod
>> 2>/dev/null
>>      14967 Segmentation fault      | grep -q ipchains
>> 
>> ****SO I DECIDE, I'M LOST, LET'S just try rebooting for the sake
>of reboting**
>> 
>> Now it won't even come back up, I can't copy/paste but here is
>some of
>> what I'm getting
>> 
>> 45 Segmentation Fault
>>      LC_ALL=C grep -q "Red Hat" /etc/redhat-release  RedHat Linux
>> 
>> Mounting proc filesystem                               [FAILED]
>>     /etc/rc.d/rc.sysinit :  Line 98:   Segmentation Fault   LC_ALL=C
>> grep -q 
>> 
>> Coninues this for about 3/4 more lines and totally quits after
>setting
>> hostname.
>> 
>> I literally, haven't done anything other than load the updates
>using
>> up2date form the command line.  Only had ssh/apache running.
>> 
>> Any ideas would be greatly appreciate as I said this is a production
>> box and one customer has already called since this happened1
>
>Last time I started getting Seg. faults in system programs was when
>our
>office machine had been "root-kitted" via the samba exploit (why
>wasn't
>it firewalled!?).  I hope this hasn't happened to you!  I ended
>up
>re-installing as opposed to playing cleanup, because I kept losing
>ground by touching one of the replaced binaries.  Did you change
>anything prior to this crash?
>
>Best of luck,
>    David
>



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

More information about the TriLUG mailing list