ifconfig, top have disappeared; networking doesn't work anymore.

ifconfig, top have disappeared; networking doesn't work anymore.

Post by David Li » Fri, 02 Mar 2001 05:09:41



Hi,

I have my redhat 6 box connected to the internet via a cable modem. A
strange thing has happened. Both the programs ifconfig and top have
disappeared. Is there any way that I can trace where they have disappeared
to? Has this been the work of a hacker? How can I find out?

I think a related issue is that my bootup gets to "Starting NFS lockd" and
then just hangs for a while. Then it times out and goes into the normal
bootup. When it actually boots up, I have no network access to the lan or
the internet.

Thanks in advance.

 
 
 

ifconfig, top have disappeared; networking doesn't work anymore.

Post by Silviu Minu » Mon, 05 Mar 2001 13:13:59


It's not necessarily the work of a hacker, because if he hacked you he
wouldn't want to cut your access from the internet, otherwise the hack would
be useless.

However, there is a well known and well documented nfs exploit on RH6.0 and
RH6.2. Back in September my file server was broken ito using exactly that
exploit. Do a google search on statdx and Linux and you'll see.

Also, locally, do a

find / -name statd* -print

The name might be different, so you might not find anything. As for ifconfig,
do

which ifconfig   or
locate ifconfig

It should be in /sbin. If it isn't, re-install net-tools from the cd. You may
also want to re-install procps (which contains ps).
If you were indeed broken into, he might have replaced the vital programs
with trojaned versions.

Incidentally, if you only have a single PC, connected to the internet, you
shouldn't need nfsd.

/etc/rc.d/init.d/nfsd status

If it's running,

/etc/rc.d/init.d/nfsd stop

And finally, if you were indeed broken into, save your data, reformat
everything and re-install.


> Hi,

> I have my redhat 6 box connected to the internet via a cable modem. A
> strange thing has happened. Both the programs ifconfig and top have
> disappeared. Is there any way that I can trace where they have disappeared
> to? Has this been the work of a hacker? How can I find out?

> I think a related issue is that my bootup gets to "Starting NFS lockd" and
> then just hangs for a while. Then it times out and goes into the normal
> bootup. When it actually boots up, I have no network access to the lan or
> the internet.

> Thanks in advance.


 
 
 

ifconfig, top have disappeared; networking doesn't work anymore.

Post by Gregg Morri » Thu, 08 Mar 2001 21:07:11



> It's not necessarily the work of a hacker, because if he hacked you he
> wouldn't want to cut your access from the internet, otherwise the hack would
> be useless.

> Incidentally, if you only have a single PC, connected to the internet, you
> shouldn't need nfsd.

> /etc/rc.d/init.d/nfsd status

> If it's running,

> /etc/rc.d/init.d/nfsd stop

After that, don't forget:
$ chkconfig --level 345 nfsd off

Or you will find it running again the next time you reboot. :-)

Regards,
Gregg

--

SDF Public Access UNIX System - http://sdf.lonestar.org

 
 
 

ifconfig, top have disappeared; networking doesn't work anymore.

Post by Michael Erskin » Fri, 09 Mar 2001 12:59:18


Not wishing to alarm you but files do not disappear (mostly) and two
such important files really do not dissappear at the same time without
raising great flags of suspicion.

If the box reboots and runs on the net... you have *someone's* version
of ifconfig somewhere on your system.  If it ain't where you left it
that is not at all good.

Since this is cols and not "what might be wrong with my drive" my
inclination is to tell you the box is suspicious UNTIL you PROVE to
yourself that it isn't.

Look for:
        1) New stuff in /dev
                if you find something with a file length vice
                major and minor device numbers check it out.
        2) Find the ifconfig program your system is using at
        boot time.  Check it out carefully.
        3) Run strings on login.
        4) Scan the open ports from another system... are there
        things there that you didn't put there?

This kind of unusual system loss of a file is *most* often indicative
of cracker activity but there are other causes.

Check your system well and disregard those who might try to cajole
you into believing all is right with the net...  IT AINT.

-m-


> Hi,

> I have my redhat 6 box connected to the internet via a cable modem. A
> strange thing has happened. Both the programs ifconfig and top have
> disappeared. Is there any way that I can trace where they have disappeared
> to? Has this been the work of a hacker? How can I find out?

> I think a related issue is that my bootup gets to "Starting NFS lockd" and
> then just hangs for a while. Then it times out and goes into the normal
> bootup. When it actually boots up, I have no network access to the lan or
> the internet.

> Thanks in advance.

 
 
 

1. PPP doesn't die, it just doesn't work anymore

I have a communications server that's been giving us fits for a few
months now.  I can't seem to locate the problem.  I've been searching
DejaNews for analogous problem, but it looks like it's either something
I'm doing wrong, or I can't find it from the keywords I'm using.

    The machine will call the ISP on startup and work just fine, using a
static IP, BTW.  After a few hours it simply gets 'clogged' and won't
ping in either direction anymore.  The machine is pinging a couple of
times a minute in order to defeat the idelout on the terminal server,
but despite the inability to ping, it still doesn't hang up.  This
usually happens after several hours of no non-ping activity, like
overnight.

    So we have a site that won't communicate and won't hang up either.
It's running 4.2 (for now) but in desperation, I intend to 'flush and
fill' 5.0 on it this weekend, though I'd rather not.

    It's too old a pppd to support "nomagic" and similar options...is
there anything that anyone has seen like this so far?

    Brian

--------------------------------------------------------------------------------
Brian Fahrlander                       Problem Solver, Technomad, and
Linux-head
Evansville, IN
ICQ:5119262                                    
http://dynasty.net/users/kilroy
--------------------------------------------------------------------------------
  Treason? "It's not wether it happened, but the seriousness of the
charge."
                                                         -- Right, Mr.
Gingrich?

2. (no subject)

3. Installed 2.4 on a Sparc 20 and ifconfig won't work anymore???

4. Help system in a unusable state!

5. xawtv doesn't work anymore: can't open /dev/video0: No such device

6. X11R6.4

7. svgalib's 3d demo doesn't work anymore

8. Posix function exports.

9. 'top' doesn't work in FreeBSD4.0

10. Re. bffcreate -X doesn't work Re: bffcreate -X Doesn't Work

11. ppp-up doesn't work anymore

12. Backspace in ftp doesn't work anymore

13. PLIP doesn't work anymore with 2.4.18