Login or Register to Ask a Question and Join Our Community


UNIX for Dummies Questions & Answers

Command is respawning too rapidly..message

 
Thread Tools Search this Thread
Top Forums UNIX for Dummies Questions & Answers Command is respawning too rapidly..message
# 1  
Old 08-26-2003
Command is respawning too rapidly..message
Ran into a new one today at work......

I was told to start 2 servers which were shut down due to a power outage(I don't believe they were shut down incorrectly).

After fsck, both console logins appear with the message:

INIT: Command is respawning too rapidly. Check for possible errors.
> id: #SV "/usr/bin/srload -D -q"


- searching the internet I found :
"/usr/bin/srload is NOT a Sun binary, and isn't on any supplied version of Solaris. I suspect you have a RootKit installed on your system. Probably the X-Org SunOS RootKit, this is the most common one for Solaris. .... Another way to confirm this is if you have the directory "/usr/lib/libX.a". If you do, then you definately have a rootkit on your system."

I have checked Both servers and they do not have /usr/bin/libX.a specifically. (libX*** exits).

Can anyone Please help on this one. Has anyone seeen this before?

-Thanks in advance.
Last edited by finster; 08-26-2003 at 11:57 PM..
# 2  
Old 08-27-2003
I see that it is in my inittab file (last line)....

# cd /etc;more inittab
ap::sysinit:/sbin/autopush -f /etc/iu.ap
ap::sysinit:/sbin/soconfig -f /etc/sock2path
fs::sysinit:/sbin/rcS sysinit >/dev/msglog 2<>/dev/msglog </dev/console
is:3:initdefault:
p3:s1234Smilieowerfail:/usr/sbin/shutdown -y -i5 -g0 >/dev/msglog 2<>/dev/msglog
sS:s:wait:/sbin/rcS >/dev/msglog 2<>/dev/msglog </dev/console
s0:0:wait:/sbin/rc0 >/dev/msglog 2<>/dev/msglog </dev/console
s1:1:respawn:/sbin/rc1 >/dev/msglog 2<>/dev/msglog </dev/console
s2:23:wait:/sbin/rc2 >/dev/msglog 2<>/dev/msglog </dev/console
s3:3:wait:/sbin/rc3 >/dev/msglog 2<>/dev/msglog </dev/console
s5:5:wait:/sbin/rc5 >/dev/msglog 2<>/dev/msglog </dev/console
s6:6:wait:/sbin/rc6 >/dev/msglog 2<>/dev/msglog </dev/console
fw:0:wait:/sbin/uadmin 2 0 >/dev/msglog 2<>/dev/msglog </dev/console
of:5:wait:/sbin/uadmin 2 6 >/dev/msglog 2<>/dev/msglog </dev/console
rb:6:wait:/sbin/uadmin 2 1 >/dev/msglog 2<>/dev/msglog </dev/console
sc:234:respawn:/usr/lib/saf/sac -t 300
co:234:respawn:/usr/lib/saf/ttymon -g -h -p "`uname -n` console login: " -T sun -d /dev/console -l console
-m ldterm,ttcompat
SV:23:respawn:/usr/bin/srload -D -q
# 3  
Old 08-27-2003
Seems you have been hacked... sorry
From the net.......

Quote:
Our server which is a SUN Sparc 5 running solaris 5.7 has been
hacked. The symptoms are that the perfmeters (performance
meters) appear with a gravestone which has R.I.P on it and
the following message appears:

INIT command is resspawning too quickly
use SV /usr/bin/srload -D -q

The srload command seems to do nothing except complain the
-D is invalid. I have restored the /sbin /usr/sbin /usr/bin
and /usr/lib directories from backups. This seemed to work
yesterday. This morning the problem reappeared and restoring
the same file systems has not cured the problem.

We are a very small company and are connected to the world
a briefly as possible to pick up mail and search the web.
I do not understand the mechanisms for such hacking.

It is obvious that we must finally move to Solaris 8 and put
up a good firewall but in the meantime are there any suggestions
about how to fix the current problem as I cannot Rest In Peace
with that gravestone staring me in the face?
Based on my looking around on the net, the platform has been hacked (or might have been) at one time...... You need to consider how to repair.......

I can't find anything good on srload ..... only negative comments.... Neo
# 4  
Old 08-27-2003
I read the same on the net as well.......doesn't look good........except I get to practice my installation again.

Luckily nothing major lost.

Thanks again.

If anyone knows more specifics on this it would be appreciated...
# 5  
Old 08-27-2003
First, just friendly advice. What kind of security and hardening is going to be in place after the install? Hint: Do not connect this server to the net until it is done.

Second, I found some info that is not posted on here yet, but has probally been read by you guys on the newsgroups:

Quote:
Found the same compromise on a server i serviced today. They had added
an irc bouncer in the directory "/dev/cua/..." and modified the system
not to find any of their "root kit" modifications.

The srload is just a sshd deamon.

You will most likely have a file named /usr/lib/libp/libm.n that
contains logs for passwords from a sniffer named /usr/sbin/modstat.
Also found this http://groups.google.com/groups?hl=e...s.de&frame=off

Just remember that if you have been compromised, which you probally have, you can not trust any of your normal commands as they could have been easily replaced with hacked versions to either inflict more harm or hide the files that you are looking for to see if you have been compromised. So, essentially, nothing on that server whether user created data, system components, logs, or the such should be saved and reloaded on the new install without fully checking it over to verify accuracy.

Tripwire is a good security tool if you are not using it yet.

Hope that helps...
Last edited by OllieTech; 08-27-2003 at 05:57 AM..
# 6  
Old 08-28-2003
Thanks for all the replies and help.
 
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Solaris

ZFS: /system/zones "respawning" on rpool

Hi, I have this fresh installation of Solaris 11.3 sparc. I have two zfs pools both using two disks in mirroring mode, both are online. I want to move /system/zones, currently rpool/VARSHARE/zones, from rpool to the other zfs pool so my zones don't consume space on the disks allocated to... (1 Reply)
Discussion started by: X96
1 Replies

2. Shell Programming and Scripting

Please Help with AWK to parse rapidly changing XML messages

Hi Guy's Can I please get some help with this code. I have xml feed file which rapidly changing temporary file and I need to capture the content of this file as soon as data arrives. Example of the data Required data output Time is current time. This is awk code that I have so far... (4 Replies)
Discussion started by: James_Owen
4 Replies

3. Red Hat

Server load rapidly increases resulting in complete freeze

Hi All, I run Linux server that hosts PHP/MySQL web-projects. The problem is that it becomes irresponsive periodically, avg. load rapidly goes up to 100.0 and more and I have to do cold reboot. Usually this sudden increase happens in 1-2 mins and it's very difficult to catch this moment in... (0 Replies)
Discussion started by: livedatesearch
0 Replies

4. Red Hat

ls command with a welcome message !

Dear Friends , Is it possible to generate a welcome message when I give the command "ls" from a particular user's home directory in Unix/Linux platform ? suppose , in following example , bash-3.00# whoami root bash-3.00# ls When I give ls command then it shows the output as... (2 Replies)
Discussion started by: shipon_97
2 Replies

5. AIX

mkitab problem with /etc/inittab respawning

Hi All, May be a dumb question to old AIX hacks, if so apologize. I have worked with /etc/inittab on SCO, but apparently with AIX you should use the 'mkitab' command to add entries instead of just vi'ing the file. I just need a daemon process (script called 'dpr_daemon') to kick off once and... (19 Replies)
Discussion started by: jeffpas
19 Replies

6. HP-UX

INIT: Command respawning too rapidly

INIT:Command is respawning too rapidly Check for errors: id:cons /usr/sbin/getty console console A solution I read about in a different HPUX Forums help pages on line, said to add the -h option to this command in the /etc/inittab file to correct the problem. I tried this and it did not... (2 Replies)
Discussion started by: 1bigdog
2 Replies

7. UNIX for Dummies Questions & Answers

HP-UX respawning boot failure

Hello. System is a HP Visualize C3600 running X11 and after a power failure machine will not boot (see error messages below) From what I've read, this may be caused by a corrupted etc/inittab file. Solution suggested on other websites is to boot in single user mode and edit file inittab... (2 Replies)
Discussion started by: westcoast
2 Replies

8. UNIX for Advanced & Expert Users

not sure what this message means, last command

in the last command..........what's this mean? i truncated the user name for obvious reasons, b b rexecd Wed Jan 7 08:53 still logged in b rexecd Wed Jan 7 08:53 still logged in b rexecd Wed Jan 7 08:53 still logged in b rexecd Wed Jan 7 08:53 still... (1 Reply)
Discussion started by: csaunders
1 Replies

9. UNIX for Dummies Questions & Answers

Some kind of message command

Hello All, hope someone here can help me with this. I am a new unix system administrator on the HP-UX machine. Every night, our operators back up our file system using one tape but as of recently, our files have gotten bigger and it now requires 2 tapes for a complete backup. Since the operators... (3 Replies)
Discussion started by: sanjit
3 Replies
Login or Register to Ask a Question