Forum OpenACS Q&A: Security Issue - Can't ls as nsadmin or other none root user
I installed OACS on a remote server (RH7.2 + OACS4.5 Beta + PGSQL7.1).
Everything worked well in the beginning. I installed openssl and use
ssh to work remotely (in plain text mode for password, w/o a
After I installed svscan (for automatic restart), some weird thing
happened. I can't ls as nsadmin or other none-root users.
Last week I tried to set up qmail, which didn't work. Something
happened after that. Before qmail, I can
in the shell without any problem. Now I still can do it. But after
executing, the nsadmin shell exited. I was back to the previous user
shell mode. That child process just died.
This is so weird. Does I set svscan setting wrong ( I followed the
instruction)? In case I didn't use Svscan after setup, do I need to
do something to get rid of this? Or is my remote box compromised?
Use the "-ls" command from sash (use "help" to see all the commands) and see what you find out.
Sash is a statically linked shell which is nice in minimal environments.
[root@server1 bin]# /sbin/ifconfig eth0 Link encap:Ethernet HWaddr 00:90:27:43:87:D7 inet addr:10.10.10.19 Bcast:10.10.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:67632 errors:0 dropped:0 overruns:0 frame:0 TX packets:58572 errors:0 dropped:0 overruns:0 carrier:1 collisions:4651 txqueuelen:100 Interrupt:10 Base address:0xa000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:33 errors:0 dropped:0 overruns:0 frame:0 TX packets:33 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0I did a netstat and got the following:
netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 20 10.10.10.19:ssh 1xx.41.128.54:779 ESTABLISHED tcp 0 0 10.10.10.19:ssh 1xx.41.128.54:709 ESTABLISHED tcp 0 0 10.10.10.19:22316 minotor.spale.com:ircd ESTABLISHEDFirst two ssh are established by me. But where does this ircd come from? Anyone has this kind of problem before? After I got the advice from David (Thanks. David. That's pretty quick. I was still debuging my box when your answer came up.) , I downloaded the sash and tar xvzf into my box. After "make install", I tried "su nsadmin -lc sash" in the sash folder. I was prompted with "Stand-alone shell (version 3.4) >". Then I tried several command and got the following info:
> ls ls: Permission denied > ps awux | grep nsd sh: /bin/ps: Permission denied > ls /lib ls: Permission denied > locate libshow locate: Permission deniedThen I came across with this article http://online.securityfocus.com/archive/75/249597. I did check the system, following the instruction. I didn't find libshow.so on my box. The following are ports open in my box:
The following ports are allowed incoming all ports are allowed outgoing: TCP/5190 AOL Browser TCP/8000 AOL Server TCP/53 DNS TCP/21 FTP TCP/80 HTTP TCP/443 HTTPS TCP/8443 TCP/110 POP3 TCP/25 SMTP TCP/22 SSH TCP/23 TELNET UDP/53 UDP/22I did use ws_ftp to upload my file from windows box to this server. I guess that's where my password was sniffed. Any idea? Jay
Looks like you'll have to reinstall though.
What does this indicate? Does it mean my box not compromised? Any additional measures I need to do?
If you don't know who is connecting to irc from your machine you need to find that out or just assume you have been compromised.
Thanks for help.