"weird file"???

To: debian-user@lists.debian.org
Subject: "weird file"???
From: John - <JohnRChamplin@columbus.rr.com>
Date: Sun, 1 Oct 2006 12:39:40 -0400
Message-id: <[🔎] 20061001163940.GA9475@columbus.rr.com>
Mail-followup-to: debian-user@lists.debian.org

This morning's cron run of aide and chkrootkit turned up some things I
don't understand. Here's a sample:

AIDE produced no errors.
Output of the daily AIDE run (165 lines):
File /lib/modules/2.6.16-lapdog/kernel/sound/core/snd-pcm.ko in databases
+has different attributes, 16317,4029
<snip>

Something is definitely wrong:
root@/lib/modules/2.6.16-lapdog/kernel/sound/core# ls -l snd.ko
?rwsrwsrwt 65535 4294967295 4294967295 4294967295 1969-12-31 18:59 snd.ko
(On another laptop, the corrresponding file looks like this:
# ls -l snd.ko
-rw-r--r-- 1 root root 56329 2006-10-01 12:07 snd.ko)

Chkrootkit also reports some nearby strangenesses:
/etc/cron.daily/chkrootkit:
/usr/bin/find: /lib/modules/2.6.16-lapdog/kernel/sound/pci: Not a directory
<snip>
The contents of that directory (and others) are listed as having been
removed, e.g.
removed:/lib/modules/2.6.16-lapdog/kernel/sound/pci/snd-intel8x0.ko

The new "Not a directory" pci looks suspicious in the same way:
root@/lib/modules/2.6.16-lapdog/kernel/sound# ls -l pci
?rwsrwsrwt 65535 4294967295 4294967295 4294967295 1969-12-31 18:59 pci


All such new "weird" files resist being deleted by rm -f, and chmod -t
 won't remove the sticky bit, with this explanation:
chmod: changing permissions of `snd.ko': Operation not permitted

Lastly, rm -d on the "Not a directory" returns a curious message: 
root@/lib/modules/2.6.16-lapdog/kernel/sound# rm -d pci 
rm: remove write-protected weird file `pci'? yes
rm: cannot remove `pci':Operation not permitted

I don't know whether it's related, but chkrootkit also finds a new
suspicious file: 
/etc/cron.daily/chkrootkit:
The following suspicious files and directories were found:
<snip>
/lib/init/rw/.ramfs

I'm at a loss as to what to make of all this. Ideas/directions
gratefully accepted.

-- 
JohnRChamplin@columbus.rr.com
====================================================
PGP key 1024D/99421A63 2005-01-05
EE51 79E9 F244 D734 A012 1CEC 7813 9FE9 9942 1A63
gpg --keyserver subkeys.pgp.net --recv-keys 99421A63

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: "weird file"??? [NOT SOLVED, BUT GONE ...]
  - From: John - <JohnRChamplin@columbus.rr.com>

Prev by Date: vt >= 12
Next by Date: clock in xfce
Previous by thread: Re: vt >= 12
Next by thread: Re: "weird file"??? [NOT SOLVED, BUT GONE ...]
Index(es):
- Date
- Thread