loading default keymap failed

[dishawjp]

Hi All,

I was on my RH 6.2 box in text mode earlier today.  I had just finished FTP'ing to and downloading some work files from my employer-provided network drive.  I quit FTP and did a "ls" of the directory I had downloaded the files to and got a "segmentation fault (core dumped)" error message.

I got the same message even after doing a "su - root"  I tried a reboot, but it hung and I had to power down before the file systems finished unmounting.  Rebooting, among other things, I got a "loading default key map failed" error.  The computer would boot and I could login as either myself or as root. But any time I tried the "ls" command I got another "segmentation fault (core dumped)" message. What is weird though is that if I use the "dir" command, I get a directory listing with no error message.  Also, using the "rm" command gives the same error message and core dump.  Every time I reboot, I get the "loading default key map failed" error.

Also, the "ps" command showed a "zombie process" that when I tried to "kill" it said "no such PID" but the process did quit.

Any thoughts?  This is an old computer and will be replaced soon, but there is data on it I would like to keep although everything important is backed up (for a change).  I tried a reinstall (update) with the RH CD and it hung hard.  I could probably do a text mode reinstall, but would lose a lot of time restoring lost data and reconfiguring.

TIA for any help.

Jim

[Stryker]

smells like my experiences with a trojan, someone tried to give me one. they succeeded, and i was getting similar problems. I had to reinstall, hopefully yours won't be so bad. (if you can't reinstall i'm sure reinstalling some rpms will do it just fine... after you get rid of the problem).

[voidmain]

Have you run a fsck on the drive lately? Maybe the drive is going bad and one of the key libraries has a problem. I also have a machine with RedHat 6.2. I just looked at the startup scripts that load the default keymap and the command used is "loadkeys".

The common shared libraries for all of those commands (including "dir") are libc.so.6 and ld-linux.so.2. You might verify the glibc and fileutils packages by running:

# rpm -V glibc
# rpm -V fileutils

This will tell you if there are any inconsistencies with the associated files from install time (if you have a trojan file this will tell the tale). Also do a "which ls" which on my system is an alias for "ls --color" for "/bin/ls". The "/bin/ls" file is dated Mar 7 2000 and is 43024 bytes from the fileutils-4.0-21 package. Since your "ls" does not appear to work you can do a "dir -l /bin/ls" to check the size/date. Just some things to check. If you don't have the same version of fileutils that I do you won't have the same date/size on the ls command though.

[dishawjp]

Hi void main and Stryker,

Just thought I'd let you folks know what it was.  It was a virus of some sort.  I had installed F-prot for Linux a few days previously and I ran it this afternoon.  It had to delete over 27 files on the first run-through and.... hell, to make a long story short, I just finished reinstalling and configuring and all.  Took about 4 hours.  A big improvemnet from the 4 or so days my first Linux install took a couple of months ago.  I've even got the apt-get program for Red Hat going again!

I just got my RH8 boxed set in the mail today and will be ordering my new computer from Linuxcomputersystems.com on Friday.  I would really hate to have something like this happen to my new computer.

Any recommendations on firewalls and virus protection and all.  I don't stay on-line for long (usually) and it's only a 56k connection.  I've never managed to successfully infect a DOS/Windows computer and don't use any AV protection other than F-prot for DOS to check files.

I do have to use FTP quite a bit for work.  That's the only method I have of accessing my network drives from home and that's how some little script kiddy puke nailed me this time.

Thanks again for your help and suggestions.

Jim

PS:  Just want to wish everyone, or at least everyone who celebrates it, a great Thanksgiving!

Jim

[ November 27, 2002: Message edited by: DOSman ]

[voidmain]

Wow, if this is true this would be the very first time in my UNIX history that I have ever talked to anyone that has actually had a virus. I would be very interested to learn more about this, exactly what it was you are referring to. And 4 hours is still way too long. On a fast machine it only takes me around 30 minutes from the time I stick the CD in, do a full install, and have it configured. But then I have been doing this for a while.  

I've started a RedHat tips page last night that you might want to visit and make suggestions for things to add or change. I just finished my second tip which describes how to add MS True Type fonts. I will be adding my tips here, and then they can be easily transported to the MES FAQ.

[dishawjp]

Hi void main!

I guess I'm just special... or lucky... or something!  All that I can think is that some 13 yr. old turd found my FTP port open while I was getting files in from my network drive. There were about 25 files I needed and the connection was open for about an hour, but...

Anyway, the reason that I think that it was a virus is that when I ran F-prot, a command line virus utility, it started finding files infected.  These included ls, rm, bash, chmod, and many others.  Worst was that it was unable to disinfect the files, only delete them.  And some it was unable to delete. It did delete a total of 27 or so files.  I then was going to switch to the csh to try and clean up bash and hopefully some other infected files that I couldn't get at the first time, and I got a "permission denied" message when trying to run the virus scanner again.  And I couldn't do a chmod to it since the chmod command had been infected and... Oh hell, that's when I gave up and started my reinstall.

It does take me a lot of time, but I have a slow old computer (for another week or so) and I do a lot of fumbling around setting up ppp dialer and pap and stuff like that.  Also I include in that time things like downloading and reinstalling programs like that apt-get for Red Hat you posted to the list and doing all the updates.  With 56k, even if I knew what I was doing, it wouldn't have been a whole lot faster.

Your web page looks really great.  I've bookmarked it and will continue to check in on it as it grows.

I was glad to hear that this was an unusual experience.  I've been using the internet for about 12 yrs now and this is the first time I've ever gotten nailed like this.  I always thought you had to be either stupid or very unlucky to get one of these things.  Now I'm ready to consider active virus scanning and firewalls.  Stuff I used to laugh about not too long ago.

Have a great Thanksgiving!

Jim

[voidmain]

That is a typical example of a break in and the installation of a "root kit". This is not a virus. The AV vendors that are creating software for Linux are looking for root kits along with the few known viruses. If you know what you are doing it is easy to detect a break in and files that are part of a root kit. In fact your system comes with all of these tools. tripwire is great for detecting things that have changed, rpm also can verify the entegrity of your files. It is also possible to clean up from such a break-in if you know how to trace the crackers tracks. I have done this on several occassions.

The important part is to be able to figure out what he exploited and close it up. If you have exposed services I can't emphasize enough the importance of being on the CERT mailing list and keeping your system updated to the absolute lates software and updates (fortunately this is both free and easy in the Linux world). And of course you want to expose the absolute minimal amount of services that you need and use secure services whenever possible.

Also, don't expect that crappy site I set up to grow very rapidly. It's not intended to be a high traffic site. I would have put it on my T-1 if that were the case, which I don't forsee happening.

[dishawjp]

Thanks void main,

I'm still awful new at this stuff.  The only ports I have open are:

25  (SMTP)
113 (IDENT)

I thought that these were necessary for mail and interacting with othre servers.  I'll take a look for the CERT site.  I have done all the updates for RH 6.2 (using the apt-get update site you posted) and will look around for firewall and AV programs.

Would a more secure root password have helped, or any other easily implemented measures?

Once again thanks for all your help,

Jim

[voidmain]

I would close both of those ports if I were you unless you absolutely need them. Unless you have a DNS domain and are using that machine to receive incoming mail for that domain by having an MX record with that machines address. The easiest way to close them are to turn off the services:

# chkconfig identd off
# service identd stop
# chkconfig sendmail off
# chkconfig sendmail stop

The identd is the stupidest thing anyone ever came up with. Do you really need sendmail running? Do you really need it exposed to the outside world? If Yes to the first question and no to the second question then at least set up firewall rules to only allow access to port 25 from your machines and no others.

[dishawjp]

Hi void main,

Gotcha and I will shut both down.  Also, I had this afternoon off and did a bit of poking around.  I found some info on "ipchains" and am thinking of setting a rule, but am hesitant to do so without a bit of advice.

If I "su - root" and enter the command "/sbin/ipchains -P input DENY" will that provide additional protection, yet still allow me to download files, connect to the internet, and FTP into my work accounts?  

I'm just beginning to get a bit of a handle on Linux and don't want to create irreversable messes.

Thanks again,

Jim

==========EDIT===========

Also, will shutting down sendmail prevent me from using Pine or standard UNIX e-mail from my machine? I have them set up as POP from an e-mail account from my ISP.  I *could* lose that and if that's the best way to secure the machine, I guess I would.

Jim

[ November 29, 2002: Message edited by: DOSman ]

[ November 29, 2002: Message edited by: DOSman ]

[voidmain]

I just noticed that you are on RedHat 6.2. I was going to tell you to use iptables instead but 6.2 still used ipchains. There are a couple of firewall threads on this forum where I discussed setting up an ipchains script for the RedHat 6.2 type of setups. The newer distros use iptables and have nicer configuration utilities. My way in the old days used a custom built script. Having said that I believe webmin has an ipchains firewall configurator that will work on RedHat 6.2. You might want to download and install that.

Another thing, since you are on 6.2 it is ultra-imperative that you apply all the security updates from RedHat's Errata page. If you put a stock RedHat 6.2 box on the net it will be 0wn3d in 3.4 minutes. Of course turning off all incoming connections to the box will also prevent being 0wn3d.

I don't know if this helps but any stock operating system is vulnerable, especially when they start getting some age on them and there is a nice list of exploits built up. Keeping your system updated prevents most of this, making sure you have unnecessary services turned off will prevent more of this. Properly configured firewall will prevent even more of it. Properly configured tcp wrappers on open services will prevent even more of it. Using encrypted protocols (ssh) will prevent even more of it. But no matter how far you go you can never be 100% secure, you can be more secure than the next guy though and that's usually enough. Security is something that you need to constantly monitor and perform regular updates if you want to have less of a chance of being owned.

For the most part, only people who do not follow the above practices have a problem. Hope this helps. One of the easiest things you can do is invest in a hardware firewall and put all of your machines behind it. This will prevent most problems (if it is properly configured). And get on the CERT mailing list. You will get first hand notification of any new exploits and how to fix them.

[ November 29, 2002: Message edited by: void main ]