Re: Rooted? Could anything innocently alter the "i" flag?
On 23 Mar 2004, Mark McRitchie wrote:
>
>
> > -----Original Message-----
> > From: Anthony Campbell [mailto:ac@acampbell.org.uk]
> > Sent: 22 March 2004 20:07
> >
> > I can't find anything else, so far, that's unusual apart from this, so
> > I'm rather reluctant to go to radical steps like reinstalling
> > everything. I compared /bin/ps on another machine which is
> > OK; this was
> > exactly the same length and date.
>
> Which machine did you do the compare on? If ps has been changed, its
> concievable that ls has been changed too.
>
> Download a known good (recent) copy of chkrootkit to the box, run it and see
> if it gives you anything.
>
> I'd strongly recommend isolating the box from the net until your _sure_ your
> not rooted.
>
>
>
> Mark.
>
>
Things seem to be getting worse. I originally discovered the problem
because a routine upgrade of procps failed because it could not make a
link to /bin/ps. I eventually found that it was due to the "i" flag on
that file. I removed the flag and it then worked. However, last night I
found that the flag had returned. I removed it again.
Today, I found that upgrading procps failed again, this time because it
was unable to create /bin/kill. But /bin/kill does not have the "i" flag
set. So it definitely seems that something strange is happening.
AC
--
ac@acampbell.org.uk || http://www.acampbell.org.uk
using Linux GNU/Debian || for book reviews, electronic
Windows-free zone || books and skeptical articles
Reply to: