Re: Rooted? Could anything innocently alter the "i" flag?
On 23 Mar 2004, Anthony Campbell wrote:
> On 23 Mar 2004, Kevin Mark wrote:
> > On Tue, Mar 23, 2004 at 08:52:35AM +0000, Anthony Campbell wrote:
> > > On 23 Mar 2004, Mark McRitchie wrote:
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Anthony Campbell [mailto:ac@acampbell.org.uk]
> > > > > Sent: 22 March 2004 20:07
> > > > >
> > <snip>
> > > because a routine upgrade of procps failed because it could not make a
> > > link to /bin/ps. I eventually found that it was due to the "i" flag on
> > > that file. I removed the flag and it then worked. However, last night I
> > > found that the flag had returned. I removed it again.
> > >
> > > Today, I found that upgrading procps failed again, this time because it
> > > was unable to create /bin/kill. But /bin/kill does not have the "i" flag
> > > set. So it definitely seems that something strange is happening.
> > >
> > > AC
> > Hi Anthony,
> > Are any script run in cron jobs?
> > Are there any pacakges installed that are related to
> > security/administration? Check 'dpkg -l'. Maybe you would like a file
> > alteration program like fam installed?
> > Just a thought.
> > -Kev
>
> Quite a few things are run as cron. mainly creating backups nightly and
> trimming log files.
>
> I just looked at fam; it seems to want to install portmap, which I've
> removed for security reasons (ha ha!).
>
> AC
>
>
A little later: I just found that the "i" flag had been set on /bin
rather than on a particular file. I can't imagine any way this could not
be malicious. Anyone disagree?
A new copy of chkroot did not show anything.
If I reinstall, can I preserve my /home and/or /usr/local files? I do
have a backup for /home which probably antedates the problem but I'd
like to save the recent stuff if possible.
--
ac@acampbell.org.uk || http://www.acampbell.org.uk
using Linux GNU/Debian || for book reviews, electronic
Windows-free zone || books and skeptical articles
Reply to: