What does Wheel Users do?

**Lammypie** · 09-19-2006 09:00 AM

To disable any shell accounts hosted on your server SSH into server and login as root.

At command prompt type: locate shell.php

Also check for:

locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

When I do this I get this message

root@vps [/]# locate shell.php
warning: locate: could not open database: /var/lib/slocate/slocate.db: No such file or directory
warning: You need to run the 'updatedb' command (as root) to create the database.
Please have a look at /etc/updatedb.conf to enable the daily cron job.

What does the updatedb command do? Is it safe? should I do it? and should I set this up as a cron job?

Kind Regards

Chris

**chirpy** · 09-19-2006 11:13 AM

updatedb is actually part of the slocate package which superceded locate many years ago. If your OS is RHEv4/CentOSv4 or FedoraCore, then you can usually simply edit /etc/updatedb.conf and set:

DAILY_UPDATE=yes

And the cron job in /etc/cron.daily/slocate.cron will run daily to generate the slocate database which is stored in /var/lib/slocate/slocate.db

Be aware that on servers with slow disks, high IO throughput and/or excessively large numbers of files, the updatedb process can consume significant server resources while it runs.

**AndyReed** · 09-19-2006 11:13 AM

Originally Posted by Lammypie

What does the updatedb command do? Is it safe? should I do it?[/b] and should I set this up as a cron job?

The updatedb command updates the indexed database for locate. You can run this command periodically to keep the database up to date. After the database is updated, the locate command is speedy. You can set a cronjob to run updatedb every day/week, if you want.

**nader1** · 09-19-2006 05:05 PM

Yo Thanks for the tutorial guy I've been looking everywhere for this!!

I added to pico .bash_profile

Funny thing is I never get an email... do I have a space where it doesn't belong...?

Also I get this error when logging into SSH

-bash: /home/aprice/.bash_profile: line 15: unexpected EOF while looking for matching ``'
-bash: /home/aprice/.bash_profile: line 17: syntax error: unexpected end of file

This is what I added...

echo 'ALERT - Root Shell Access on:'`date``who` | mail -s "Alert: Root Access from 'who | awk'{print $6}'`"
myemail@mydomain.com

ANY IDEAS?

**Manuel_accu** · 09-20-2006 01:30 AM

Originally Posted by AndyReed

The updatedb command updates the indexed database for locate. You can run this command periodically to keep the database up to date. After the database is updated, the locate command is speedy. You can set a cronjob to run updatedb every day/week, if you want.

Yes, you are correct, you can configure updatedb to update everyday by editing below mentioned parameter in update.conf in /etc

DAILY_UPDATE=yes

Thanks,

**curriertech** · 09-20-2006 12:15 PM

Originally Posted by nader1

Yo Thanks for the tutorial guy I've been looking everywhere for this!!

I added to pico .bash_profile

Funny thing is I never get an email... do I have a space where it doesn't belong...?

Also I get this error when logging into SSH

-bash: /home/aprice/.bash_profile: line 15: unexpected EOF while looking for matching ``'
-bash: /home/aprice/.bash_profile: line 17: syntax error: unexpected end of file

This is what I added...

echo 'ALERT - Root Shell Access on:'`date``who` | mail -s "Alert: Root Access from 'who | awk'{print $6}'`"
myemail@mydomain.com

ANY IDEAS?

The long line wrapped in .bash_profile, so it's two seperate lines. I had to make my ssh window wider (not necessary, but makes it easier to see where the actual page break is) and then take out the page break from the line (so it was all one one line) then that error went away, and I started receiving emails when I log in as root.

**curriertech** · 09-20-2006 12:21 PM

Are the versions of chkrootkit and APF Firewall listed in the beginning of this thread still considered the best choices? I only ask because this thread started 2 years ago.

**Lammypie** · 09-20-2006 02:15 PM

I prefer RKhunter and according to this post by the manager of asmallorange CSF is worth looking at

**nader1** · 09-20-2006 06:38 PM

ok well I made is all one line but was still getting an error as follows..

-bash: /home/aprice/.bash_profile: line 15: unexpected EOF while looking for matching ``'

So I went in and counted the '"` and such and releazied that the tutorial has an extra ` in it.

go figure..

so it should be ...

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'" your@email.com

NOT

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

***********

Now the fun part. The errors are gone but I get the following message after the login message.

You must specify direct recipients with -s, -c, or -b.

Did we not do this with | mail -s "Alert: Root ?????

Any comments?

**nader1** · 09-20-2006 06:48 PM

Also ran chkrootkit and got the following

Checking `bindshell'... INFECTED (PORTS: 465)

What to do gurus? Any tips?

**chirpy** · 09-21-2006 10:21 AM

That bindshell error is usually fine. Port 465 is used for SMTP over SSL (ssmtp) and bound by exim and chkrootkit picks it up as a false-positive.

**Lammypie** · 09-21-2006 11:30 AM

thankyou, you've all been very helpful.

**nader1** · 09-21-2006 10:47 PM

Thank you!

**kigoobe** · 09-29-2006 04:06 PM

Originally Posted by 000000000

At command prompt type: cd chkrootkit-0.44

At command prompt type: make sense

To run chkrootkit

At command prompt type: /root/chkrootkit-0.44/chkrootkit

Today when I downloaded chkrootkit, the version was changed to 0.46a. So, please check which version you are downloading before asking for the file, or you will get a file not found error.

000000000, what a great and helpful article ... the hackers must be extrememy frustrated ...

Edit: Also, for the current APF (apf-0.9.6-1) USE_DS is found almost at the extreme bottom, one needs to scroll down a lot. I found some other people were also speaking about this problem (not finding).

The flashing every 5 minutes problem relates to the extreme top of the page, DEVEL_MODE should be 0, not 1, some people were speaking about this problem (Probably it was called as DEVM as I couldn't find anything like DEVM)

Also, #123 didn't work, I had to replace that by 123

Cheers.

**crimsondryad** · 10-02-2006 06:40 PM

Hi, I had shared hosting before through Dreamhost and I'm very new to server admin. This post was a god send to me. I have a few questions about what I read.

I saw the part about removing the wheel user. What does the wheel user do? I saw a lot of users related to mail and the like, I don't want to break my server.

What does enabling the redirect to a secure port for webmail do? Will that require a secure cert for every domain, or will it use the main server ssl cert? Will users then get a domain mismatch message?

I would like for whm to always be on a secure port. Do I need to buy an ssl cert, or is a self-signed cert enough?

Thank you!

LinkBack

Thread Tools

What does Wheel Users do?

A Beginner's Guide to Name Servers Part-2 (Custom Nameservers for Resellers)

Guide to securing a server?

A Beginner's Guide to Name Servers Part-1 (Setting up nameservers in WHM/Cpanel)