Linux issue

Ambarishrh

@scottalanmiller Removed and rebooted, but still looks the same.

scottalanmiller

@ambarishrh said:

/etc/rc3.d/S99local

What was in rc.local doesn't match the errors from /etc/rc3.d/S99local

This means BOTH are infected. You don't need S99local as you are running nothing there. Disable that.

rm /etc/rc3.d/S99local

and reboot

Ambarishrh

@scottalanmiller
Now after removing the file and reboot, the message changed.

CentOS release 6.4 (Final)
Kernel 2.6.32-358.el6.x86_64 on an x86_64

localhost.localdomain login: sh: systemctl: command not found
sh: reSuSEfirewall2: command not found
sh: SuSEfirewall2: command not found
ebtables: unrecognized service
sh: /etc/init.d/ebtables: No such file or directory
sh: ufw: command not found
usage: kill [ -s signal | -p ] [ -a ] pid ...

scottalanmiller

Yeah, none of those are real. One of those is a Suse command, one is an Ubuntu command and two are completely fake. I think you need to rebuild your server. I could step through and get this working... but you have been hacked and your box cannot be trusted

Ambarishrh

@scottalanmiller Its a test vm, i can destroy and rebuild it, but just curious to find the cause.

As I mentioned all i did was installing the gitlab on the server. Would you be able to test this on ur test server and see if that installation opens something else?

scottalanmiller

@ambarishrh said:

@scottalanmiller Its a test vm, i can destroy and rebuild it, but just curious to find the cause.

As I mentioned all i did was installing the gitlab on the server. Would you be able to test this on ur test server and see if that installation opens something else?

I suspect that you were hacked and that Gitlab was not the issue. You can make another VM and test this yourself, just snapshot before the installation and see if any of this stuff appears.

Ambarishrh

I have few other vms and running with the same centos but with other installations. Anyways, I will try a new setup tomorrow again and see if I get same issues. Its 3 AM here, i really need to sleep or i will be late to the office in the morning.

Thanks a lot for helping , I will post it here my test results tomorrow.

scottalanmiller

Okay, will check tomorrow.

Ambarishrh

Ok, time for test results!

Clean installed centos from my template, installed clam av and did a scan, then installed gitlab and did one more scan on clamav, both came clean!

*========================================================
----------- SCAN SUMMARY -----------
Known viruses: 3497543
Engine version: 0.98.4
Scanned directories: 4749
Scanned files: 17429
Infected files: 0

=========================================================

Running handlers:
Running handlers complete

Chef Client finished, 129/141 resources updated in 55.414565857 seconds
gitlab Reconfigured!
[root@localhost ~]# /usr/bin/clamscan -ri /

----------- SCAN SUMMARY -----------
Known viruses: 3497543
Engine version: 0.98.4
Scanned directories: 9983
Scanned files: 54376
Infected files: 0*

Not sure how the box got hacked last time.

Anyways, I am completely updating the server, and test this for few days.

scottalanmiller

Might have been the gitlab package hacked but extremely unlikely. Almost certainly an external hack of some sort.