The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RootKit Problem

Discussion in 'General Discussion' started by Etheral, Jun 25, 2004.

  1. Etheral

    Etheral Well-Known Member

    Joined:
    Dec 8, 2003
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    i was scanning my server with RKhunter... it found this:


    /usr/sbin/prelink: /bin/egrep: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/egrep: at least one of file's dependencies has changed since prelinking
    /bin/egrep [ BAD ]
    /usr/sbin/prelink: /bin/fgrep: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/fgrep: at least one of file's dependencies has changed since prelinking
    /bin/fgrep [ BAD ]
    /usr/sbin/prelink: /bin/grep: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/grep: at least one of file's dependencies has changed since prelinking
    /bin/grep [ BAD ]

    How do i fix that.
     
  2. Etheral

    Etheral Well-Known Member

    Joined:
    Dec 8, 2003
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    MD5
    MD5 compared: 80
    Incorrect MD5 checksums: 3

    is the total output, i dont think checksums can be hacks tho. so are you shure about the hack?
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Might not be a hacking issue - Are you running Fedora by any chance?
     
  4. Etheral

    Etheral Well-Known Member

    Joined:
    Dec 8, 2003
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    Fedora Core 2
     
  5. Etheral

    Etheral Well-Known Member

    Joined:
    Dec 8, 2003
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    Hehe, wasnt a hacker issue, ive fixed it. wasnt a big deal.
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Did you remove prelink from CRON and reboot, by any chance ;)
     
    #6 chirpy, Jun 26, 2004
    Last edited: Jan 23, 2005
  7. Etheral

    Etheral Well-Known Member

    Joined:
    Dec 8, 2003
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    :D
     
  8. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    well what was the fix dont keep us in the dark
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I already said what the fix was:
     
  10. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    you did not answer just smiled :D

    thanks but not my problem
     
    #10 dalem, Sep 3, 2004
    Last edited: Sep 3, 2004
  11. abusedreality

    abusedreality Well-Known Member

    Joined:
    Apr 15, 2003
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    What prefer are you refering to?,

    I get that error when running....

    /usr/local/bin/rkhunter -c --cronjob
     
  12. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The information is already in my post. You need to find the prelink cron job (IIRC, it's in /etc/cron.daily) then delete it and reboot your server.
     
    #12 chirpy, Oct 17, 2004
    Last edited: Jan 23, 2005
  13. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    i have the same problem

    i may be thick but what do you mean by

    i have gone to /etc/cron.daily - what am i looking for and what do i need to do ??

    there is a file called prelink do i remove this file ??
     
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yes, my post should have said "prelink", I'll correct it.
     
  15. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    Jonathon I have done this and I still get this when I run rootkit:

    /usr/sbin/prelink: /lib/tls/libc-2.3.3.so has dependency cycle
    /usr/sbin/prelink: /bin/cat: at least one of file's dependencies has changed since prelinking
    Line:
    [ BAD ]
    /usr/sbin/prelink: /lib/tls/libc-2.3.3.so has dependency cycle
    /usr/sbin/prelink: /bin/chmod: at least one of file's dependencies has changed since prelinking
    Line: [ BAD ]
    [ BAD ]
    /usr/sbin/prelink: /lib/tls/libc-2.3.3.so has dependency cycle
    /usr/sbin/prelink: /bin/chown: at least one of file's dependencies has changed since prelinking
    Line: [ BAD ]
    [ BAD ]

    So now what?
     
  16. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Run:

    prelink -u -a
     
  17. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    This is what I got:


    Code:
    root@[~]# prelink -u -a
    prelink: /lib/tls/libc-2.3.3.so has dependency cycle
    prelink: /usr/local/lib/libgmp.so.3.3.3 is not present in any config file directories, nor was specified on command line
    prelink: /usr/local/lib/libltdl.so.3.1.0 is not present in any config file directories, nor was specified on command line
    prelink: /usr/local/lib/libMagick.so.6.2.2 is not present in any config file directories, nor was specified on command line
    root@[~]#
    
    
    
     
  18. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's OK. Did you rerun rkhunter?
     
Loading...

Share This Page