Forum OpenACS Q&A: Security Issue - Can't ls as nsadmin or other none root user

This is not a problem for OACS installation itself.

I installed OACS on a remote server (RH7.2 + OACS4.5 Beta + PGSQL7.1).

Everything worked well in the beginning. I installed openssl and use
ssh to work remotely (in plain text mode for password, w/o a
certificate).

After I installed svscan (for automatic restart), some weird thing
happened. I can't ls as nsadmin or other none-root users.

Last week I tried to set up qmail, which didn't work. Something
happened after that. Before qmail, I can
"exec htmldoc"
in the shell without any problem. Now I still can do it. But after
executing, the nsadmin shell exited. I was back to the previous user
shell mode. That child process just died.

This is so weird. Does I set svscan setting wrong ( I followed the
instruction)? In case I didn't use Svscan after setup, do I need to
do something to get rid of this? Or is my remote box compromised?
Any ideas?

Thanks,

Jay

When I did a seach in google, I found this trojan LVK4 (http://www.hut.fi/~jjkleimo/kurssit/tik110452/examples_rootkit.html). Looks like my box has the same behavior as LVK4 installed. I did a /sbin/ifconfig and got the following result:

[root@server1 bin]# /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:90:27:43:87:D7
          inet addr:10.10.10.19  Bcast:10.10.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:67632 errors:0 dropped:0 overruns:0 frame:0
          TX packets:58572 errors:0 dropped:0 overruns:0 carrier:1
          collisions:4651 txqueuelen:100
          Interrupt:10 Base address:0xa000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:33 errors:0 dropped:0 overruns:0 frame:0
          TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

I did a netstat and got the following:

netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0     20 10.10.10.19:ssh         1xx.41.128.54:779       ESTABLISHED
tcp        0      0 10.10.10.19:ssh         1xx.41.128.54:709       ESTABLISHED
tcp        0      0 10.10.10.19:22316       minotor.spale.com:ircd  ESTABLISHED

First two ssh are established by me. But where does this ircd come from? Anyone has this kind of problem before? After I got the advice from David (Thanks. David. That's pretty quick. I was still debuging my box when your answer came up.) , I downloaded the sash and tar xvzf into my box. After "make install", I tried "su nsadmin -lc sash" in the sash folder. I was prompted with "Stand-alone shell (version 3.4) >". Then I tried several command and got the following info:

> ls
ls: Permission denied
> ps awux | grep nsd
sh: /bin/ps: Permission denied
> ls /lib
ls: Permission denied
> locate libshow
locate: Permission denied

Then I came across with this article http://online.securityfocus.com/archive/75/249597. I did check the system, following the instruction. I didn't find libshow.so on my box. The following are ports open in my box:

The following ports are allowed incoming all ports are allowed outgoing:

    TCP/5190    AOL Browser
    TCP/8000    AOL Server
    TCP/53        DNS
    TCP/21        FTP
    TCP/80        HTTP
    TCP/443      HTTPS
    TCP/8443
    TCP/110        POP3
    TCP/25        SMTP
    TCP/22        SSH
    TCP/23        TELNET
 
    UDP/53
    UDP/22

I did use ws_ftp to upload my file from windows box to this server. I guess that's where my password was sniffed. Any idea? Jay

-ls works,

What does this indicate? Does it mean my box not compromised? Any additional measures I need to do?

My box was compromised. I download the chkrootkit at http://www.chkrootkit.org and find it compromised. I will rebuild it.
Thanks for help.

Jay