Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Thread Tools Display Modes
Old 2nd February 2012, 16:05
hfr hfr is offline
Junior Member
Join Date: Nov 2009
Posts: 27
Thanks: 2
Thanked 0 Times in 0 Posts
Question yum update problem / do i have a security problem?


today I had a strange problem updating my centos 5.7 64-bit. The Server is used for webhosting via ispconfig 3 (-> perfect server guide)

Dependencies Resolved

================================================== =============================================
Package Arch Version Repository Size
================================================== =============================================
openssh-server x86_64 4.3p2-72.el5_7.5 updates 278 k

Transaction Summary
================================================== =============================================
Install 0 Package(s)
Upgrade 1 Package(s)

Total size: 278 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : openssh-server 1/2
Error unpacking rpm package openssh-server-4.3p2-72.el5_7.5.x86_64
error: unpacking of archive failed on file /usr/sbin/sshd: cpio: rename

openssh-server.x86_64 0:4.3p2-72.el5_7.5

I looked at /usr/sbin/sshd ...

[root@server ~]# ll /usr/sbin/sshd
-rwxrwxrwx 1 root apache 288592 12. Sep 2010 /usr/sbin/sshd
... and tried to change group, which did not work:

[root@server sbin]# chgrp root /usr/sbin/sshd
Ändern der Gruppe für /usr/sbin/sshd: Die Operation ist nicht erlaubt
(translation: operation is not permitted)

After a bit of searching I found a +i-Flag in ext-attributes:

[root@server ~]# lsattr /usr/sbin/sshd
----i-------- /usr/sbin/sshd
After disabling that, everything worked fine again
chattr -i /usr/sbin/sshd
Now I am wondering who/what set this Flag in ext3-Attributes and who changed group of sshd to apache. May my server has been attacked successfully? I checked processes, open ports and chkrootkit but found nothing.

Does anybody has an idea which can caused these oddities?

Best Regards
Reply With Quote
Sponsored Links
Old 3rd February 2012, 13:25
falko falko is offline
Super Moderator
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts

Did you run rkhunter?
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
My Centos is terribly slow Galled Server Operation 9 7th December 2010 16:31
Need some Hints to "The Perfect Server - Debian Lenny (Debian 5.0) [ISPConfig 3]" wahid HOWTO-Related Questions 10 25th August 2010 16:18
Companion Script #2 for The Perfect Server - Fedora 13 x86_64 [ISPConfig 3]" MrCompTech Tips/Tricks/Mods 0 10th July 2010 06:11
yum update problem onj centos to 5.4 cobro Installation/Configuration 8 3rd April 2010 17:38
High Availability Samba cluster - DRBD + Heartbeat djalex Server Operation 58 25th May 2007 20:38

All times are GMT +2. The time now is 04:02.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.