[00:01] knoxy: pastebin the output of "env" [00:02] LD_PRELOAD=/lib/lib__mdma.so.1 [00:03] I just need to remove the entries from grub... I can remove the files *3.8.0* from /boot and run update-grub ? [00:03] stetho: I just did this successfully: rsync -v rsync://us.archive.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_7.4-2012.04.orig.tar.bz2 . [00:03] knoxy: Have you recently edited a bashrc script, either /etc/profile or /root/.bashrc or similar? Because that error is usually caused by having a bash variable definition that has spaces either side of the "=" [00:04] # some more ls aliases [00:04] alias ll='ls -alF' [00:04] alias la='ls -A' [00:04] alias l='ls -CF' [00:04] ? [00:04] no [00:05] knoxy: show us a pastebin of "env" please [00:10] http://paste.ubuntu.com/6665794/ [00:18] knoxy: looking... [00:19] knoxy: What is this "lib__mdma.so.1" ? Is it a custom library you've built? [00:26] TJ-, no, this is a "unknown" library [00:26] if I move this library to another folder, for example, all commands stops (ls, pwd, ps, and more) [00:27] when I move this file to another folder, I can restore the machine using SCP to move from target folder to previous folder... [00:28] because all commands (includes mv) stop to work [00:29] I dont know what is lib__mdma.so.1 [00:29] when I run "ls" in /lib... I can't see this file [00:30] when I run ls -l, so I see this file [00:30] knoxy: I can't find any references to it on the 'net ... I suspect it could be part of a rootkit [00:30] du -sh /lib/lib__mdma.so.1 - access denied [00:31] TJ- I talked several times about this file here [00:32] TJ- no one could tell me what is [00:32] TJ- I already suspected it was part of a rootkit [00:32] TJ- to disable this file, I can disable from "env" variables? [00:32] knoxy: Seriously, you need to rebuild that machine and secure it! make sure no other systems are re-infecting it, ensure your local PC isn't part of the problem [00:33] knoxy: I would guess if it is a root-kit that other files have been compromised. You need to do a clean rebuild. [00:33] TJ- I checked all process, users, folders, rkhunter runs, and I cant see the rootkit and other similar problem [00:34] TJ- Yes, this server will be reinstalled, but all files (my php application) need to be migrated [00:35] Can you do "objdump -t /lib/lib__mdma.so.1" and show the output to us via a pastebin? [00:36] TJ- yes, but the datacenter is migrating this server to another rack, please wait [00:36] I'm waiting the reply [00:38] TJ- on my Zimbra ZCS server (ubuntu) in this week, I find 3 files in /var/tmp [00:39] TJ- because a 0day remote exploit for Zimbra has published [00:39] I remove the files and block the 7071 port for Zimbra Admin === gfrog_afk is now known as gfrog [00:40] the files: [00:40] root@srv001:~/exploits# ls [00:40] meep.pl minerd32 minerd64 [00:40] anyone knows these files? === gfrog_afk is now known as gfrog [00:41] ? [00:44] minerd64 and minerd32 is used for bitcoin?! [00:44] knoxy: Someone is using your server for bitcoin mining. [01:00] bekks, this files I found in my Zimbra ZCS server [01:00] bekks, the url for 0day exploit is http://www.exploit-db.com/exploits/30085/ [01:01] bekks, I dont know if the server is used to more things [01:01] knoxy: Yeah. Someone is exploiting your server. Backup important data, reinstall your server from scratch. [01:02] bekks, I've other servers and will find other exploits and dangerous files [01:02] Or get the datacenter guys to investigate further, for jurisdical actions. [01:02] bekks, my contract is restrict just to use the infra of DC [01:03] bekks, datacenter guys dont have access to my servers === gfrog is now known as gfrog_afk === TDog_ is now known as TDog === gfrog_afk is now known as gfrog === gfrog is now known as gfrog_afk === TDog_ is now known as TDog === gfrog_afk is now known as gfrog === aarcane_ is now known as aarcane [06:42] Does anybody know how to force DKMS to rebuild a module it says is already built? [06:48] this is sort of a odd question, but how woud i use box A as ddos protection for box B. both boxes are on the public internet but on different subnets and different datacenters === TDog_ is now known as TDog === TDog_ is now known as TDog === TDog_ is now known as TDog === TDog_ is now known as TDog === TDog_ is now known as TDog === TDog_ is now known as TDog === TDog_ is now known as TDog === TDog_ is now known as TDog === TDog_ is now known as TDog === TDog_ is now known as TDog === TDog_ is now known as TDog === TDog_ is now known as TDog === railsraider_ is now known as railsraider === TDog_ is now known as TDog === TDog_ is now known as TDog === TDog_ is now known as TDog [10:37] Does anyone know if ubuntu servers rate limit you or block you in other ways? === Jare_ is now known as Jare === lionel_ is now known as lionel === TDog_ is now known as TDog === TDog_ is now known as TDog [15:19] Hi, I am looking for some documentation how to set up a multisite config for drupal using the ubuntu packages === TDog_ is now known as TDog === njbair_ is now known as njbair === TDog_ is now known as TDog === TDog_ is now known as TDog === TDog_ is now known as TDog === Beltechs is now known as OjO [17:38] stetho: I don't believe there is any kind of rate limit. Large Ubuntu clouds mirror the mirrors just as you are attempting to do. [18:23] on ubuntu 12.04.3 with kernel 3.5.0-43-generic and openvswitch (A setup I have working on two other systems at present) I get the following error when starting a guest in libvirt: [18:23] Unable to add bridge br0 port vnet0: No such process [18:23] Google provides no helpful results, and I'm unable to glean anything from the logs. [18:39] aarcane: See https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Virtualization_Host_Configuration_and_Guest_Installation_Guide/#App_Bridge_Device [18:44] TJ-, that's a similar error, but I've found that possible resolution before, and it's not a fruitful path to peruse. [19:02] aarcane: Permissions of the user are sufficient? "No such process" error can show when elevated permissions aren't available [19:23] I'm having some issues with dhcpd I was hoping someone could help me with. I've got a host defined in dhcpd.conf setting a fixed-address, but the client is never assigned the correct IP. I've triple checked the MAC address and tried clearing the client's leases and removing the relevant entries in server's leases [19:23] anyone have any ideas of other things I might try to troubleshoot [19:24] The client still has a lease file. [19:28] I've tried killing the client and clearing the lease files [19:29] the host just gets a lease on another dynamically assigned IP, not the static one the server is configured to give [19:29] or... supposedly configured to give, though I can't spot the error in the config, and I've spent a while looking === Sneak is now known as Guest21931 [19:41] boldfield: maybe you should pastebin the config? === Guest21931 is now known as Newk_z1 [19:44] TJ-: I've got to check that it's kosher that I do, if so I will [19:51] TJ-, sudo. [21:09] boldfield: I assume you checked the obvious, such as restarting dhcpd, making sure there were no other DHCP servers on the subnet, etc. [21:10] markthomas: you are correct [21:11] boldfield: Just checking. Then it's time to look at the config. [23:27] initramfs seems to be trying to make drivers for a kernel I removed using apt [23:27] any suggestions? [23:40] sheptard: initramfs doesn't "make" drivers