Hi all,
I'm at my wit's end. I've a Redhat 6.2 i386 box (6gb HD, 128mb RAM, 32mb
swap, kernel 2.2.14-5.0) which has been happily running as a dev server for
a good few months - Apache, PHP, MySQL, Samba and Netatalk being the most
heavily-used services. Nothing too load-heavy, maybe 5 users at once spread
across Netatalk and Samba.
All of a sudden over the weekend, it began to give 'Unable to load
interpreter' errors to the console. I've been unable to log in via any
means, although booting into single-user mode works fine. Under normal
circumstances the 'unable to load intepreter' message appears whenever a
username is entered, and the screen clears.
The research I've done pointed to this message being indicative of a memory
problem. I changed rc.local to up the requisite values in /proc/sys/vm to
see if that helped give the filesystem more legroom, but that yielded
nothing. Swap is hardly being used at all, and even rebooting with all the
usual services turned off made no difference, so I can't believe there's
something gobbling the memory. In single-user mode, top reports nothing
untoward - 99.8% CPU available, swap at 0% use, plenty of RAM available.
/var/log/messages reports nothing but the 'kernel : unable to load
intepreter /lib/ld-linux.so.2" error when someone tried to log in. The
symlink is there, as is the library it's pointing to. Sadly something else
screwed up over the weekend and all my previous logs disappeared - maybe
Cron (which I had creating a tarball of some of the system logs) went barmy
and caused all this, but it doesn't explain what's gone so wrong that it
won't fix itself when the server reboots, even with crond, etc disabled.
Has *anyone* got any clue, bar a complete reinstall? I'm picking this up as
I go along..
Severe amounts of thanks in advance,
Paul
> nothing. Swap is hardly being used at all, and even rebooting with all the
> usual services turned off made no difference, so I can't believe there's
> something gobbling the memory. In single-user mode, top reports nothing
> untoward - 99.8% CPU available, swap at 0% use, plenty of RAM available.
Could be out of memory, could be out of files, could be permissions
> Has *anyone* got any clue, bar a complete reinstall? I'm picking this up as
> I go along..
rpm --verify --all
That will check all the packages seem sane. It won't neccessarily help
identify the problem but can reassure you as what if anything may be corrupt.
If it shows up changes in login, netstat, su and the like then assume the worst.
If it shows permission changes on the library then you have a good idea what
may have happened.
You might also want to look at ps -aux and top data as that may give you a lot
of clues if the machine is apparently behaving but being odd
on 12/2/01 15:37, Alan Cox <[email protected]> schribe:
> rpm --verify --all
>
> That will check all the packages seem sane. It won't neccessarily help
> identify the problem but can reassure you as what if anything may be corrupt.
>
> If it shows up changes in login, netstat, su and the like then assume the
> worst.
> If it shows permission changes on the library then you have a good idea what
> may have happened.
Thanks Alan - spot on. I ran this and there's been a permissions change to
/bin/login a couple of days ago. I smell a hacker... ?
Firstly - GRRRRRRRRRRRR.
Secondly, to get the thing running I'm assuming I can copy a working login
binary from an identical server, so I can get in & change the passwords and
sort the security out?
I'm thinking it's not a coincidence that my system logs disappeared either..
:(
/paul
Paul Tweedy wrote:
> Secondly, to get the thing running I'm assuming I can copy a working login
> binary from an identical server, so I can get in & change the passwords and
> sort the security out?
...and what if the 'cp' binary has been hacked to stop you doing just
that? What if 'passwd' is silently emailing your root password to the
hacker each time you change it?
Reformat and re-install. It's the only way (and check your firewall).
Tony
--
The only secure computer is one that's unplugged, locked in a safe,
and buried 20 feet under the ground in a secret location... and i'm
not even too sure about that one"--Dennis Huges, FBI.
[email protected]
On Mon, 12 Feb 2001, Tony Hoyle wrote:
> Paul Tweedy wrote:
>
> > Secondly, to get the thing running I'm assuming I can copy a working login
> > binary from an identical server, so I can get in & change the passwords and
> > sort the security out?
>
> ...and what if the 'cp' binary has been hacked to stop you doing just
> that? What if 'passwd' is silently emailing your root password to the
> hacker each time you change it?
>
> Reformat and re-install. It's the only way (and check your firewall).
Disabling all unneeded services would be a better idea than checking the
firewall.
<RANT>
I'm still not understanding this running by default most dists
have going, it's stupid for servers and it's down right retarted for
workstations.
</RANT>
Gerhard
--
Gerhard Mack
[email protected]
<>< As a computer I find your faith in technology amusing.