Ran into a new one today at work......

I was told to start 2 servers which were shut down due to a power outage(I don't believe they were shut down incorrectly).

After fsck, both console logins appear with the message:

INIT: Command is respawning too rapidly. Check for possible errors.
> id: #SV "/usr/bin/srload -D -q"


- searching the internet I found :
"/usr/bin/srload is NOT a Sun binary, and isn't on any supplied version of Solaris. I suspect you have a RootKit installed on your system. Probably the X-Org SunOS RootKit, this is the most common one for Solaris. .... Another way to confirm this is if you have the directory "/usr/lib/libX.a". If you do, then you definately have a rootkit on your system."

I have checked Both servers and they do not have /usr/bin/libX.a specifically. (libX*** exits).

Can anyone Please help on this one. Has anyone seeen this before?

-Thanks in advance.

I see that it is in my inittab file (last line)....

# cd /etc;more inittab
ap::sysinit:/sbin/autopush -f /etc/iu.ap
ap::sysinit:/sbin/soconfig -f /etc/sock2path
fs::sysinit:/sbin/rcS sysinit >/dev/msglog 2<>/dev/msglog </dev/console
is:3:initdefault:
p3:s1234owerfail:/usr/sbin/shutdown -y -i5 -g0 >/dev/msglog 2<>/dev/msglog
sS:s:wait:/sbin/rcS >/dev/msglog 2<>/dev/msglog </dev/console
s0:0:wait:/sbin/rc0 >/dev/msglog 2<>/dev/msglog </dev/console
s1:1:respawn:/sbin/rc1 >/dev/msglog 2<>/dev/msglog </dev/console
s2:23:wait:/sbin/rc2 >/dev/msglog 2<>/dev/msglog </dev/console
s3:3:wait:/sbin/rc3 >/dev/msglog 2<>/dev/msglog </dev/console
s5:5:wait:/sbin/rc5 >/dev/msglog 2<>/dev/msglog </dev/console
s6:6:wait:/sbin/rc6 >/dev/msglog 2<>/dev/msglog </dev/console
fw:0:wait:/sbin/uadmin 2 0 >/dev/msglog 2<>/dev/msglog </dev/console
of:5:wait:/sbin/uadmin 2 6 >/dev/msglog 2<>/dev/msglog </dev/console
rb:6:wait:/sbin/uadmin 2 1 >/dev/msglog 2<>/dev/msglog </dev/console
sc:234:respawn:/usr/lib/saf/sac -t 300
co:234:respawn:/usr/lib/saf/ttymon -g -h -p "`uname -n` console login: " -T sun -d /dev/console -l console
-m ldterm,ttcompat
SV:23:respawn:/usr/bin/srload -D -q

From the net.......

Based on my looking around on the net, the platform has been hacked (or might have been) at one time...... You need to consider how to repair.......

I can't find anything good on srload ..... only negative comments.... Neo

I read the same on the net as well.......doesn't look good........except I get to practice my installation again.

Luckily nothing major lost.

Thanks again.

If anyone knows more specifics on this it would be appreciated...

First, just friendly advice. What kind of security and hardening is going to be in place after the install? Hint: Do not connect this server to the net until it is done.

Second, I found some info that is not posted on here yet, but has probally been read by you guys on the newsgroups:

Also found this http://groups.google.com/groups?hl=e...s.de&frame=off

Just remember that if you have been compromised, which you probally have, you can not trust any of your normal commands as they could have been easily replaced with hacked versions to either inflict more harm or hide the files that you are looking for to see if you have been compromised. So, essentially, nothing on that server whether user created data, system components, logs, or the such should be saved and reloaded on the new install without fully checking it over to verify accuracy.

Tripwire is a good security tool if you are not using it yet.

Hope that helps...

Thanks for all the replies and help.