On (01/10/06 12:39), John - wrote: > This morning's cron run of aide and chkrootkit turned up some things I > don't understand. Here's a sample: > > AIDE produced no errors. > Output of the daily AIDE run (165 lines): > File /lib/modules/2.6.16-lapdog/kernel/sound/core/snd-pcm.ko in databases > +has different attributes, 16317,4029 > <snip> > > Something is definitely wrong: > root@/lib/modules/2.6.16-lapdog/kernel/sound/core# ls -l snd.ko > ?rwsrwsrwt 65535 4294967295 4294967295 4294967295 1969-12-31 18:59 snd.ko > (On another laptop, the corrresponding file looks like this: > # ls -l snd.ko > -rw-r--r-- 1 root root 56329 2006-10-01 12:07 snd.ko) > > Chkrootkit also reports some nearby strangenesses: > /etc/cron.daily/chkrootkit: > /usr/bin/find: /lib/modules/2.6.16-lapdog/kernel/sound/pci: Not a directory > <snip> > The contents of that directory (and others) are listed as having been > removed, e.g. > removed:/lib/modules/2.6.16-lapdog/kernel/sound/pci/snd-intel8x0.ko > > The new "Not a directory" pci looks suspicious in the same way: > root@/lib/modules/2.6.16-lapdog/kernel/sound# ls -l pci > ?rwsrwsrwt 65535 4294967295 4294967295 4294967295 1969-12-31 18:59 pci > > > All such new "weird" files resist being deleted by rm -f, and chmod -t > won't remove the sticky bit, with this explanation: > chmod: changing permissions of `snd.ko': Operation not permitted > > Lastly, rm -d on the "Not a directory" returns a curious message: > root@/lib/modules/2.6.16-lapdog/kernel/sound# rm -d pci > rm: remove write-protected weird file `pci'? yes > rm: cannot remove `pci':Operation not permitted > > I don't know whether it's related, but chkrootkit also finds a new > suspicious file: > /etc/cron.daily/chkrootkit: > The following suspicious files and directories were found: > <snip> > /lib/init/rw/.ramfs > > I'm at a loss as to what to make of all this. Ideas/directions > gratefully accepted. I still do not understand what happened, but after #shutdown -r -F now it has gone away, and things are back to normal. Go figure ... -- JohnRChamplin@columbus.rr.com ==================================================== PGP key 1024D/99421A63 2005-01-05 EE51 79E9 F244 D734 A012 1CEC 7813 9FE9 9942 1A63 gpg --keyserver subkeys.pgp.net --recv-keys 99421A63
Attachment:
signature.asc
Description: Digital signature