Re: Rootkit warning! (Was: Re: LS_COLORS error)

To: Debian Users List <debian-user@lists.debian.org>
Subject: Re: Rootkit warning! (Was: Re: LS_COLORS error)
From: Neilen <brick@adept.co.za>
Date: 06 Jun 2003 11:44:47 +0800
Message-id: <[🔎] 1054871087.16863.4565.camel@hilife>
In-reply-to: <[🔎] 200306052211.05538.gtdev@spearhead.de>
References: <[🔎] 1054829291.16863.4552.camel@hilife> <[🔎] 200306052211.05538.gtdev@spearhead.de>

Hi Nicos.

On Fri, 2003-06-06 at 04:11, Nicos Gollan wrote:
> On Thursday 05 June 2003 18:08, Neilen wrote:
> > Hi.
> >
> > I'm running sid.  Some time in the last week (did unfortunately not
> > notice exactly when), I started getting the following error from ls:
> >
> > brick@hilife:~/public_html$ ls
> > ls: unrecognized prefix: do
> > ls: unparsable value for LS_COLORS environment variable.
> 
> I had this some time ago. You might want to check for t0rnkit in case someone 
> hacked you machine. The "devious" thing about the kit's files is that they're 
> marked "undeletable" with chattr (see man chattr and man lsattr), so even 
> root can't delete them directly.
Sure enough, this seems to be the case.  I also had a problem where
procps would not install due to "permission denied". Chattr showed why
;)

Guess its reinstall time.  You think it would be safe to keep my /home/*
for the new install?

Thanks
Neilen

> 
> I'll append a kind of "in-group whitepaper" I found.
-- 
Neilen <brick@adept.co.za>

Reply to:

Follow-Ups:
- Re: Rootkit warning! (Was: Re: LS_COLORS error)
  - From: Nicos Gollan <gtdev@spearhead.de>

References:
- LS_COLORS error
  - From: Neilen <brick@adept.co.za>
- Rootkit warning! (Was: Re: LS_COLORS error)
  - From: Nicos Gollan <gtdev@spearhead.de>

Prev by Date: Re: dpkg-reconfigure ntp-simple not working?
Next by Date: Re: How to unsubscribe?
Previous by thread: Rootkit warning! (Was: Re: LS_COLORS error)
Next by thread: Re: Rootkit warning! (Was: Re: LS_COLORS error)
Index(es):
- Date
- Thread