Forum OpenACS Q&A: Security Issue - Can't ls as nsadmin or other none root user

This is not a problem for OACS installation itself.

I installed OACS on a remote server (RH7.2 + OACS4.5 Beta + PGSQL7.1).

Everything worked well in the beginning. I installed openssl and use
ssh to work remotely (in plain text mode for password, w/o a

After I installed svscan (for automatic restart), some weird thing
happened. I can't ls as nsadmin or other none-root users.

Last week I tried to set up qmail, which didn't work. Something
happened after that. Before qmail, I can
"exec htmldoc"
in the shell without any problem. Now I still can do it. But after
executing, the nsadmin shell exited. I was back to the previous user
shell mode. That child process just died.

This is so weird. Does I set svscan setting wrong ( I followed the
instruction)? In case I didn't use Svscan after setup, do I need to
do something to get rid of this? Or is my remote box compromised?
Any ideas?



This sounds like it could have been compromised. Upload a copy of sash (stand alone shell) and "su nsadmin -lc /tmp/sash".

Use the "-ls" command from sash (use "help" to see all the commands) and see what you find out.

Sash is a statically linked shell which is nice in minimal environments.
When I did a seach in google, I found this trojan LVK4 ( Looks like my box has the same behavior as LVK4 installed. I did a /sbin/ifconfig and got the following result:
[root@server1 bin]# /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:90:27:43:87:D7
          inet addr:  Bcast:  Mask:
          RX packets:67632 errors:0 dropped:0 overruns:0 frame:0
          TX packets:58572 errors:0 dropped:0 overruns:0 carrier:1
          collisions:4651 txqueuelen:100
          Interrupt:10 Base address:0xa000

lo        Link encap:Local Loopback
          inet addr:  Mask:
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:33 errors:0 dropped:0 overruns:0 frame:0
          TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
I did a netstat and got the following:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0     20         1xx.41.128.54:779       ESTABLISHED
tcp        0      0         1xx.41.128.54:709       ESTABLISHED
tcp        0      0  ESTABLISHED
First two ssh are established by me. But where does this ircd come from? Anyone has this kind of problem before? After I got the advice from David (Thanks. David. That's pretty quick. I was still debuging my box when your answer came up.) , I downloaded the sash and tar xvzf into my box. After "make install", I tried "su nsadmin -lc sash" in the sash folder. I was prompted with "Stand-alone shell (version 3.4) >". Then I tried several command and got the following info:
> ls
ls: Permission denied
> ps awux | grep nsd
sh: /bin/ps: Permission denied
> ls /lib
ls: Permission denied
> locate libshow
locate: Permission denied
Then I came across with this article I did check the system, following the instruction. I didn't find on my box. The following are ports open in my box:
The following ports are allowed incoming all ports are allowed outgoing:

    TCP/5190    AOL Browser
    TCP/8000    AOL Server
    TCP/53        DNS
    TCP/21        FTP
    TCP/80        HTTP
    TCP/443      HTTPS
    TCP/110        POP3
    TCP/25        SMTP
    TCP/22        SSH
    TCP/23        TELNET
I did use ws_ftp to upload my file from windows box to this server. I guess that's where my password was sniffed. Any idea? Jay
make sure you use the leading dash to call the ls command that is inside sash. "-ls"

Looks like you'll have to reinstall though.
-ls works,

What does this indicate? Does it mean my box not compromised? Any additional measures I need to do?

No. All it means is that you can list files using sash.

If you don't know who is connecting to irc from your machine you need to find that out or just assume you have been compromised.
My box was compromised. I download the chkrootkit at and find it compromised. I will rebuild it.
Thanks for help.