/srv/irclogs.ubuntu.com/2013/12/31/#ubuntu-server.txt

TJ-	knoxy: pastebin the output of "env"	00:01
knoxy	LD_PRELOAD=/lib/lib__mdma.so.1	00:02
knoxy	I just need to remove the entries from grub... I can remove the files 3.8.0 from /boot and run update-grub ?	00:03
markthomas	stetho: I just did this successfully: rsync -v rsync://us.archive.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_7.4-2012.04.orig.tar.bz2 .	00:03
TJ-	knoxy: Have you recently edited a bashrc script, either /etc/profile or /root/.bashrc or similar? Because that error is usually caused by having a bash variable definition that has spaces either side of the "="	00:03
knoxy	# some more ls aliases	00:04
knoxy	alias ll='ls -alF'	00:04
knoxy	alias la='ls -A'	00:04
knoxy	alias l='ls -CF'	00:04
knoxy	?	00:04
knoxy	no	00:04
TJ-	knoxy: show us a pastebin of "env" please	00:05
knoxy	http://paste.ubuntu.com/6665794/	00:10
markthomas	knoxy: looking...	00:18
TJ-	knoxy: What is this "lib__mdma.so.1" ? Is it a custom library you've built?	00:19
knoxy	TJ-, no, this is a "unknown" library	00:26
knoxy	if I move this library to another folder, for example, all commands stops (ls, pwd, ps, and more)	00:26
knoxy	when I move this file to another folder, I can restore the machine using SCP to move from target folder to previous folder...	00:27
knoxy	because all commands (includes mv) stop to work	00:28
knoxy	I dont know what is lib__mdma.so.1	00:29
knoxy	when I run "ls" in /lib... I can't see this file	00:29
knoxy	when I run ls -l, so I see this file	00:30
TJ-	knoxy: I can't find any references to it on the 'net ... I suspect it could be part of a rootkit	00:30
knoxy	du -sh /lib/lib__mdma.so.1 - access denied	00:30
knoxy	TJ- I talked several times about this file here	00:31
knoxy	TJ- no one could tell me what is	00:32
knoxy	TJ- I already suspected it was part of a rootkit	00:32
knoxy	TJ- to disable this file, I can disable from "env" variables?	00:32
TJ-	knoxy: Seriously, you need to rebuild that machine and secure it! make sure no other systems are re-infecting it, ensure your local PC isn't part of the problem	00:32
TJ-	knoxy: I would guess if it is a root-kit that other files have been compromised. You need to do a clean rebuild.	00:33
knoxy	TJ- I checked all process, users, folders, rkhunter runs, and I cant see the rootkit and other similar problem	00:33
knoxy	TJ- Yes, this server will be reinstalled, but all files (my php application) need to be migrated	00:34
TJ-	Can you do "objdump -t /lib/lib__mdma.so.1" and show the output to us via a pastebin?	00:35
knoxy	TJ- yes, but the datacenter is migrating this server to another rack, please wait	00:36
knoxy	I'm waiting the reply	00:36
knoxy	TJ- on my Zimbra ZCS server (ubuntu) in this week, I find 3 files in /var/tmp	00:38
knoxy	TJ- because a 0day remote exploit for Zimbra has published	00:39
knoxy	I remove the files and block the 7071 port for Zimbra Admin	00:39
=== gfrog_afk is now known as gfrog
knoxy	the files:	00:40
knoxy	root@srv001:~/exploits# ls	00:40
knoxy	meep.pl minerd32 minerd64	00:40
knoxy	anyone knows these files?	00:40
=== gfrog_afk is now known as gfrog
knoxy	?	00:41
knoxy	minerd64 and minerd32 is used for bitcoin?!	00:44
bekks	knoxy: Someone is using your server for bitcoin mining.	00:44
knoxy	bekks, this files I found in my Zimbra ZCS server	01:00
knoxy	bekks, the url for 0day exploit is http://www.exploit-db.com/exploits/30085/	01:00
knoxy	bekks, I dont know if the server is used to more things	01:01
bekks	knoxy: Yeah. Someone is exploiting your server. Backup important data, reinstall your server from scratch.	01:01
knoxy	bekks, I've other servers and will find other exploits and dangerous files	01:02
bekks	Or get the datacenter guys to investigate further, for jurisdical actions.	01:02
knoxy	bekks, my contract is restrict just to use the infra of DC	01:02
knoxy	bekks, datacenter guys dont have access to my servers	01:03
=== gfrog is now known as gfrog_afk
=== TDog_ is now known as TDog
=== gfrog_afk is now known as gfrog
=== gfrog is now known as gfrog_afk
=== TDog_ is now known as TDog
=== gfrog_afk is now known as gfrog
=== aarcane_ is now known as aarcane
aarcane	Does anybody know how to force DKMS to rebuild a module it says is already built?	06:42
Neytiri	this is sort of a odd question, but how woud i use box A as ddos protection for box B. both boxes are on the public internet but on different subnets and different datacenters	06:48
=== TDog_ is now known as TDog
=== TDog_ is now known as TDog
=== TDog_ is now known as TDog
=== TDog_ is now known as TDog
=== TDog_ is now known as TDog
=== TDog_ is now known as TDog
=== TDog_ is now known as TDog
=== TDog_ is now known as TDog
=== TDog_ is now known as TDog
=== TDog_ is now known as TDog
=== TDog_ is now known as TDog
=== TDog_ is now known as TDog
=== railsraider_ is now known as railsraider
=== TDog_ is now known as TDog
=== TDog_ is now known as TDog
=== TDog_ is now known as TDog
stetho	Does anyone know if ubuntu servers rate limit you or block you in other ways?	10:37
=== Jare_ is now known as Jare
=== lionel_ is now known as lionel
=== TDog_ is now known as TDog
=== TDog_ is now known as TDog
balachmar	Hi, I am looking for some documentation how to set up a multisite config for drupal using the ubuntu packages	15:19
=== TDog_ is now known as TDog
=== njbair_ is now known as njbair
=== TDog_ is now known as TDog
=== TDog_ is now known as TDog
=== TDog_ is now known as TDog
=== Beltechs is now known as OjO
markthomas	stetho: I don't believe there is any kind of rate limit. Large Ubuntu clouds mirror the mirrors just as you are attempting to do.	17:38
aarcane	on ubuntu 12.04.3 with kernel 3.5.0-43-generic and openvswitch (A setup I have working on two other systems at present) I get the following error when starting a guest in libvirt:	18:23
aarcane	Unable to add bridge br0 port vnet0: No such process	18:23
aarcane	Google provides no helpful results, and I'm unable to glean anything from the logs.	18:23
TJ-	aarcane: See https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Virtualization_Host_Configuration_and_Guest_Installation_Guide/#App_Bridge_Device	18:39
aarcane	TJ-, that's a similar error, but I've found that possible resolution before, and it's not a fruitful path to peruse.	18:44
TJ-	aarcane: Permissions of the user are sufficient? "No such process" error can show when elevated permissions aren't available	19:02
boldfield	I'm having some issues with dhcpd I was hoping someone could help me with. I've got a host defined in dhcpd.conf setting a fixed-address, but the client is never assigned the correct IP. I've triple checked the MAC address and tried clearing the client's leases and removing the relevant entries in server's leases	19:23
boldfield	anyone have any ideas of other things I might try to troubleshoot	19:23
bekks	The client still has a lease file.	19:24
boldfield	I've tried killing the client and clearing the lease files	19:28
boldfield	the host just gets a lease on another dynamically assigned IP, not the static one the server is configured to give	19:29
boldfield	or... supposedly configured to give, though I can't spot the error in the config, and I've spent a while looking	19:29
=== Sneak is now known as Guest21931
TJ-	boldfield: maybe you should pastebin the config?	19:41
=== Guest21931 is now known as Newk_z1
boldfield	TJ-: I've got to check that it's kosher that I do, if so I will	19:44
aarcane	TJ-, sudo.	19:51
markthomas	boldfield: I assume you checked the obvious, such as restarting dhcpd, making sure there were no other DHCP servers on the subnet, etc.	21:09
boldfield	markthomas: you are correct	21:10
markthomas	boldfield: Just checking. Then it's time to look at the config.	21:11
sheptard	initramfs seems to be trying to make drivers for a kernel I removed using apt	23:27
sheptard	any suggestions?	23:27
JanC	sheptard: initramfs doesn't "make" drivers	23:40

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!