Re: "weird file"??? [NOT SOLVED, BUT GONE ...]

To: debian-user@lists.debian.org
Subject: Re: "weird file"??? [NOT SOLVED, BUT GONE ...]
From: John - <JohnRChamplin@columbus.rr.com>
Date: Sun, 1 Oct 2006 13:18:27 -0400
Message-id: <[🔎] 20061001171827.GA13614@columbus.rr.com>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20061001163940.GA9475@columbus.rr.com>
References: <[🔎] 20061001163940.GA9475@columbus.rr.com>

On (01/10/06 12:39), John - wrote:
> This morning's cron run of aide and chkrootkit turned up some things I
> don't understand. Here's a sample:
> 
> AIDE produced no errors.
> Output of the daily AIDE run (165 lines):
> File /lib/modules/2.6.16-lapdog/kernel/sound/core/snd-pcm.ko in databases
> +has different attributes, 16317,4029
> <snip>
> 
> Something is definitely wrong:
> root@/lib/modules/2.6.16-lapdog/kernel/sound/core# ls -l snd.ko
> ?rwsrwsrwt 65535 4294967295 4294967295 4294967295 1969-12-31 18:59 snd.ko
> (On another laptop, the corrresponding file looks like this:
> # ls -l snd.ko
> -rw-r--r-- 1 root root 56329 2006-10-01 12:07 snd.ko)
> 
> Chkrootkit also reports some nearby strangenesses:
> /etc/cron.daily/chkrootkit:
> /usr/bin/find: /lib/modules/2.6.16-lapdog/kernel/sound/pci: Not a directory
> <snip>
> The contents of that directory (and others) are listed as having been
> removed, e.g.
> removed:/lib/modules/2.6.16-lapdog/kernel/sound/pci/snd-intel8x0.ko
> 
> The new "Not a directory" pci looks suspicious in the same way:
> root@/lib/modules/2.6.16-lapdog/kernel/sound# ls -l pci
> ?rwsrwsrwt 65535 4294967295 4294967295 4294967295 1969-12-31 18:59 pci
> 
> 
> All such new "weird" files resist being deleted by rm -f, and chmod -t
>  won't remove the sticky bit, with this explanation:
> chmod: changing permissions of `snd.ko': Operation not permitted
> 
> Lastly, rm -d on the "Not a directory" returns a curious message: 
> root@/lib/modules/2.6.16-lapdog/kernel/sound# rm -d pci 
> rm: remove write-protected weird file `pci'? yes
> rm: cannot remove `pci':Operation not permitted
> 
> I don't know whether it's related, but chkrootkit also finds a new
> suspicious file: 
> /etc/cron.daily/chkrootkit:
> The following suspicious files and directories were found:
> <snip>
> /lib/init/rw/.ramfs
> 
> I'm at a loss as to what to make of all this. Ideas/directions
> gratefully accepted.

I still do not understand what happened, but after
#shutdown -r -F now
it has gone away, and things are back to normal.

Go figure ...

-- 
JohnRChamplin@columbus.rr.com
====================================================
PGP key 1024D/99421A63 2005-01-05
EE51 79E9 F244 D734 A012 1CEC 7813 9FE9 9942 1A63
gpg --keyserver subkeys.pgp.net --recv-keys 99421A63

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- "weird file"???
  - From: John - <JohnRChamplin@columbus.rr.com>

Prev by Date: Re: Spam and spam filtering, a problem new to me
Next by Date: Re: debian forum
Previous by thread: "weird file"???
Next by thread: clock in xfce
Index(es):
- Date
- Thread