cannot execute "/etc/init.d/fix"

[unixguy]

I recently had to rebuild my Plesk 8.1 system (for a 2nd time).

The entire system would hang right after the "Freeing memory" message was displayed .

I was never able to determine the exact nature of the problem. The filesystem was always in tact and I always managed to boot into a rescue mode, back everything up, rebuild the entire system and restore.

Some Google searches directed me to a corrupt "init" process. But no real resolution.


Today I started getting spurious error messages in my logs:


/etc/inittab[58]: duplicate ID field "XX"
/etc/inittab[59]: duplicate ID field "XX"
/etc/inittab[60]: duplicate ID field "XX"
/etc/inittab[58]: duplicate ID field "XX"
/etc/inittab[59]: duplicate ID field "XX"
/etc/inittab[60]: duplicate ID field "XX"
cannot execute "/etc/init.d/fix"




I checked and there is no /etc/init.d/fix script or file.

A search on Google revealed nothing

Can anyone tell me what these are for?


Many thanks team,


Troy

 

[atomicturtle]

Ive never heard of an init script called "fix" on any unix distro before. Did the box get owned? I can see a kernel rootkit causing weird problems like that, with the loading event coming from this "fix" script.

Take a look at your /etc/inittab for duplicate fields.

 

[unixguy]

FIX script

In checking the /etc/inittab file I found the following duplicate entries:

XX:23nce:/etc/init.d/fix
XX:23nce:/etc/init.d/fix
XX:23nce:/etc/init.d/fix
XX:23nce:/etc/init.d/fix
XX:23nce:/etc/init.d/fix


To my knowledge the box has not been compromised. I have run the rootkit scanner in from watchdog and found no problems.

For now I have deleted the multiple occurrences of this line to a single occurence and then commented that one out as follows:

#XX:23nce:/etc/init.d/fix


Many thanks for the prompt reply.

 

[atomicturtle]

Just confirmed it in my archives, that is identical to a rootkit I found on a another system.

 

[fishnyc22]

I have that same error showing up in my logs.

Jan 2 18:21:56 serverName init: cannot execute "/etc/init.d/fix"

I looked in the file mentioned above and found this line:

T0:12345:respawn:/sbin/agetty -L ttyS0 57600 vt100
#T1:12345:respawn:/sbin/agetty -L ttyS1 57600 vt100
XX:23nce:/etc/init.d/fix
XX:23nce:/etc/init.d/fix
XX:23nce:/etc/init.d/fix

I commented out 2 of them. not sure if thats ok.

 

[unixguy]

Does the file /etc/init.d/fix exist?

By chance did you find the file referenced?

/etc/init.d/fix

If this is a rootkit the fix program may tell us the nature of the exploit.

Many thanks

 

[fishnyc22]

no, there was no file in the init.d folder. I'm not sure if I should comment out all of those calls to "fix" but if the file is not there, what can it hurt, right?

 

[unixguy]

Multiple entries in inetd.conf

Technically each entry in /etc/inittab should be unique - so deleting multiple occurrences of the same line isn't a problem.

Does anyone else have these lines in their /etc/inittab file?

I suppose that if /etc/init.d/fix is a script it could be deleting itself after executing it's payload-code.

 

[atomicturtle]

In my notes, fix is the script that was loading the kernel module rootkit into the system.

 

[phatPhrog]

PSA fix is everywhere

Although there are files named ..fix.. the key files I can find are as follows:

/usr/local/psa/admin/share/fix_url.py
/usr/local/psa/bin/fixup_wrapper_group.sh
/usr/local/psa/bin/fixup_mta.sh
/usr/share/doc/bash-3.0/scripts/fixfiles.bash
/usr/share/terminfo/f/fixterm
/usr/share/man/man8/fixfiles.8.gz
/usr/share/man/man1/fixwfwps.1.gz
/usr/share/man/man1/fixfmps.1.gz
/usr/share/man/man1/fixdlsrps.1.gz
/usr/share/man/man1/fixwpps.1.gz
/usr/share/man/man1/fixpspps.1.gz
/usr/share/man/man1/fixtpps.1.gz
/usr/share/man/man1/fixmacps.1.gz
/usr/share/man/man1/fixwwps.1.gz
/usr/share/man/man1/fixpsditps.1.gz
/usr/share/man/man1/fixscribeps.1.gz
/usr/share/psa-horde/kronolith/js/fixUnstyledOptions.js
/usr/share/psa-horde/mnemo/js/fixUnstyledOptions.js
/usr/bin/fixwfwps
/usr/bin/fixwwps
/usr/bin/fixdlsrps
/usr/bin/fixmacps
/usr/bin/fixfmps
/usr/bin/fixscribeps
/usr/bin/fixwpps
/usr/bin/fixpspps
/usr/bin/fixtpps
/usr/bin/fixpsditps
/usr/lib/mailman/bin/fix_url.py
/usr/lib/mailman/bin/fix_url.pyc
/var/www/vhosts/chroot/usr/share/terminfo/f/fixterm
/sbin/fixfiles

There is no /etc/init.d/fix nor a app/script named fix anywhere on our server.

As stated before our system is secure as well yet this "fix" always shows up on a server restart.

Is this (init.d/fix) a 1and1 script, a rootkit, or a 1and1 app preventing the loading of new or updated kernels?

If this is indeed a rootkit, and is widespread shouldn't folks like chkrootkit, rkhunter, modsecurity and others take this into consideration for security checks? .... or is this a PSA thing?

 

[de_he]

Re: PSA fix is everywhere

Originally posted by phatPhrog


Is this (init.d/fix) a 1and1 script, a rootkit, or a 1and1 app preventing the loading of new or updated kernels?

edit/

Which distribution you are using?


On SUSE 9.3 with Plesk 8.0 there was 1and1 script named fix in /etc/init.d. It was fixing some problem with Mailman app. It should be deleted after execution. On other distro there was no "fix".

Nevertheless: have you had the chance now to boot from a 100% rootkit-free live-cd and do a rkhunter or chkrootkit?

FYI: There is no "app preventing the loading of new or updated kernels" because that wouldn't make any sense.