[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

"weird file"???

This morning's cron run of aide and chkrootkit turned up some things I
don't understand. Here's a sample:

AIDE produced no errors.
Output of the daily AIDE run (165 lines):
File /lib/modules/2.6.16-lapdog/kernel/sound/core/snd-pcm.ko in databases
+has different attributes, 16317,4029

Something is definitely wrong:
root@/lib/modules/2.6.16-lapdog/kernel/sound/core# ls -l snd.ko
?rwsrwsrwt 65535 4294967295 4294967295 4294967295 1969-12-31 18:59 snd.ko
(On another laptop, the corrresponding file looks like this:
# ls -l snd.ko
-rw-r--r-- 1 root root 56329 2006-10-01 12:07 snd.ko)

Chkrootkit also reports some nearby strangenesses:
/usr/bin/find: /lib/modules/2.6.16-lapdog/kernel/sound/pci: Not a directory
The contents of that directory (and others) are listed as having been
removed, e.g.

The new "Not a directory" pci looks suspicious in the same way:
root@/lib/modules/2.6.16-lapdog/kernel/sound# ls -l pci
?rwsrwsrwt 65535 4294967295 4294967295 4294967295 1969-12-31 18:59 pci

All such new "weird" files resist being deleted by rm -f, and chmod -t
 won't remove the sticky bit, with this explanation:
chmod: changing permissions of `snd.ko': Operation not permitted

Lastly, rm -d on the "Not a directory" returns a curious message: 
root@/lib/modules/2.6.16-lapdog/kernel/sound# rm -d pci 
rm: remove write-protected weird file `pci'? yes
rm: cannot remove `pci':Operation not permitted

I don't know whether it's related, but chkrootkit also finds a new
suspicious file: 
The following suspicious files and directories were found:

I'm at a loss as to what to make of all this. Ideas/directions
gratefully accepted.

PGP key 1024D/99421A63 2005-01-05
EE51 79E9 F244 D734 A012 1CEC 7813 9FE9 9942 1A63
gpg --keyserver subkeys.pgp.net --recv-keys 99421A63

Attachment: signature.asc
Description: Digital signature

Reply to: