[PLUG] What caused damage to my /bin/ls file?

alan alan at clueserver.org
Wed Feb 19 11:19:01 UTC 2003 

Run strings on it and see if it is a trojaned version.  (And the botched 
it.)

Are you using tripwire?  If so, what other binaries are effected.

On Wed, 19 Feb 2003, David Mandel wrote:

> 
> Something strange happened and I can not explain it.
> Any ideas?
> 
> My system has a file /bin/ls
> At 1:00 AM last night it ran the ls command as one would expect.
> At 9:00 AM after a system reboot which probably isn't relevant it
> gave me a "bash: /bin/ls: cannot execute binary file" error.
> 
> I got out of copy of ls, which I will call goodls and ran:
> 
>          goodls -l /bin/ls
> which gave:
>       -rwxr-xr-x    1 root     root        46784 Mar 23  2002 /bin/ls
> just as I would expect.  However, /bin/ls would not run.
> So, I ran diff goodls /bin/ls which indicated that the files differ.
> (They shouldn't differ.  goodls was a backup I made of /bin/ls a week ago.)
> So I ran
>         file /bin/ls
> which gave:
>        /bin/ls: Sendmail frozen configuration  - version &&      &      &      &     &
> This is certainly NOT correct.  It should be an ELF 32-bit LSB executable.
> 
> Next, I used od -bc to look for differences in ls and goodls.
> The first 20k of the two files differ.  After that they are identical.
> 
> All of this made me wonder if a cracker had gotten me, so I started
> looking at other files and my log files and and other systems on the
> same network, and so on.  I haven't found abnormalities so far, other
> than the /bin/ls file on that one machine.
> 
> Anyone have any guesses as to how that file got corupted?
> It is really bugging me.
> 
> 
>                                           Sincerely,
>                                           David Mandel
>                                           Chief Activist
>                                           Portland Linux/Unix Group
>                                           1440 NE 59th
>                                           Portland, Oregon 97213
>                                           (360) 260-2066 at work
>                                           (541) 730-5285 cell
> 
>    ======================================================================
>    David Mandel, Product Manager       http://www.MicroSharp.com
>                           Other Affiliations
>    David Mandel                        http://www.DavidMandel.com
>    Portland Linux/Unix Group           http://pdxLinux.org
>    LinuxFund                           http://LinuxFund.org
>    ======================================================================
> 
> 
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>

More information about the PLUG mailing list