That's odd.... I can create folders just fine, i.e. mkdir 1 works.
You are root, so you have permissions, it's not nfs mounted folder, no aliases.... hmmm...
can you create normal folder like "mkdir test1" ? What is the status of "echo $?" after it fails ? Can you use "mkdir -p /path/to/1" ?
Does anybody have a copy of the 'mount' binary which was on these systems? Even a copy from backup is fine. I honestly suspect a rootkit being involved in this issue as I have seen it before. Looks like a number of binaries are involved, mount being one of them (due to how early it is called during bootup).
If you do have a copy from these systems, I would recommend you examine the impacted system's from another good kernel and then look for the binaries. You should find the 'mount' binary, another mount binary with what looks like a hash string appended to the end of the name, and then another empty mount file with another hash appended to the name. This seems to be the indicator that the system truly is infected.
Please post the binary to this forum, or PM me if you can supply me with a copy for analysis. I am interested to know if this is the same exact MD5 hash I found or not. Would really like to identify this particular rootkit and get some signatures out there so other people can find it easier.
We're having this problem as well, also on RHEL4. Does anyone have an idea of how their machines were compromised initially? We don't want to open up the same vulnerability again. I've attached the three /bin/mount* files we found on the compromised machine. There were other similarly compromised binaries as well, such as touch, basename and cat.
-Tom
Moderator's note: I have just approved the attachment so it should now be available for downloading. Download it with caution! It is suspected of being malware. --- Perderabo
Our system are compromised with this rootkit. We followed the recommendation from Hookups and found the mount binary with what looks like a hash string appended to the end. We could not find any infor about this on the internet. If you have any additional information regarding this root kit please let us know. Your help is greatly appreciated.
The posted binary is not the exact same as md5sums do not match. However, the file size is spot on. Also the same characteristics. Namely, the binary looks to be broken, but still loadable by the linux kernel:
---
[badfile@host badfiles]$ readelf -a ./mount
ELF Header:
Magic: 7f 45 4c 46 00 00 00 00 00 00 00 00 00 00 00 00
Class: none
Data: none
Version: 0
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x1df26054
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 1
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no section groups in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000000 0x1df26000 0x1df26000 0x8453f 0x13e000 RWE 0x1000
There is no dynamic section in this file.
There are no relocations in this file.
There are no unwind sections in this file.
No version information found in this file.
[badfile@host badfiles]$ objdump -d ./mount
objdump: ./mount: File format not recognized
[badfile@host badfiles]$ file ./mount
mount: ELF invalid class invalid byte order (SYSV)
---
strace as unprivileged user show one system call to 'sysinfo()' with the argument of '0'. It returns an error:
Hi,
Did anyone find the solution for this issue, I am too facing the same on my 3 servers at a time. Very strange issue. And along with that javascript insertion on all websites on those servers. Kindly respond if anyone has the solution for it or anyway to stop this from happening after new install....
