Re: Changing binaries
Steve, I think you've hit the nail on the head, running clamscan (didn't know it even existed until a few minutes ago) show the following:
/bin/bash: Linux.RST.B FOUND
/bin/mv: Linux.RST.B FOUND
/bin/grep: Linux.RST.B FOUND
/bin/mt-gnu: Linux.RST.B FOUND
/bin/tcsh: Linux.RST.B FOUND
on the first run, and then on the second run, 24 files now infected :(
Now just need to figure out how to get rid of it, or is it a case of a rebuild?
Thanks
Giles
Steve Kemp <skx@debian.org> wrote: On Mon, Jul 31, 2006 at 09:41:51PM +0100, Giles McGarry wrote:
> I have a problem at the moment, strangely various binaries in the /bin
> directory are changing size and becoming corrupt. When I restore the
> original they work ok, and then at some
time later they change size and
> stop working. I've now restored all of the files (there's about a dozen)
> into /bin2 which I can use when the ones in /bin get corrupt. The
> original (and working file in /bin2 is as follows:
I'd strongly suggest that you consider the possability that you've
been rooted and have a virus modifying your binaries, or something
else similarly malicious.
Clearly "resetting" your corrupted binaries only to have them
be modified again isn't a workable solution.
If you have known-good backups I'd suggest archiving the system
and reinstalling.
If you have another system which is safe then I'd suggest
scanning a binary or two which has been enlarged/modified to
see if you can identify a virus of some kind. (Contrary to
popular belief Linux viruses do exist, and this would perfectly
explain the size gain and perhaps the segmentation faults.)
ClamAV should detect several viruses, failing that feel
free to bzip/compress a bad binary and place it online for
the curious to examine - cautiously.
Steve
--
Reply to: