[Wylug-help] Re: vicious circular symlinks stop su (and a lot more)

Gordon Messmer yinyang at eburg.com
17 Oct 2002 14:42:44 -0700


On Thu, 2002-10-17 at 04:54, Andrew Teal wrote:
> The critical error is
> su: error while loading shared libraries: libpam.so.0: cannot open shared
> object file: Error 40
> I've found that /lib/libpam.so.0 is a symbolic link to itself; I can't
> delete it because I can't su to root.

That all makes sense.  errno 40 == ELOOP (too many symlinks)

> AFAIK RedHat update created it. It also created (in the same directory) four
> versions of libpam.so.0.75 ** and four more self-referencing symlinks:
> libpam.so;3da73808 --> /lib/libpam.so;3da73808

OK, you've probably been hacked.  The filenames you've listed are temp
names created when RPM unpacks an archive.  Normally, those files will
be renamed to the destination file after they're complete.  However,
renaming can fail for many reasons; among them is that the destination
file has been made immutable.  Use "lsattr /lib/libpam*" to see if any
of those files have been made immutable.

If so, and you didn't make them immutable yourself, then your machine
was probably hacked.  Back up your data, reformat the disk, reinstall
the OS.