[PLUG] What caused damage to my /bin/ls file?
alan
alan at clueserver.org
Wed Feb 19 11:19:01 UTC 2003
Run strings on it and see if it is a trojaned version. (And the botched
it.)
Are you using tripwire? If so, what other binaries are effected.
On Wed, 19 Feb 2003, David Mandel wrote:
>
> Something strange happened and I can not explain it.
> Any ideas?
>
> My system has a file /bin/ls
> At 1:00 AM last night it ran the ls command as one would expect.
> At 9:00 AM after a system reboot which probably isn't relevant it
> gave me a "bash: /bin/ls: cannot execute binary file" error.
>
> I got out of copy of ls, which I will call goodls and ran:
>
> goodls -l /bin/ls
> which gave:
> -rwxr-xr-x 1 root root 46784 Mar 23 2002 /bin/ls
> just as I would expect. However, /bin/ls would not run.
> So, I ran diff goodls /bin/ls which indicated that the files differ.
> (They shouldn't differ. goodls was a backup I made of /bin/ls a week ago.)
> So I ran
> file /bin/ls
> which gave:
> /bin/ls: Sendmail frozen configuration - version && & & & &
> This is certainly NOT correct. It should be an ELF 32-bit LSB executable.
>
> Next, I used od -bc to look for differences in ls and goodls.
> The first 20k of the two files differ. After that they are identical.
>
> All of this made me wonder if a cracker had gotten me, so I started
> looking at other files and my log files and and other systems on the
> same network, and so on. I haven't found abnormalities so far, other
> than the /bin/ls file on that one machine.
>
> Anyone have any guesses as to how that file got corupted?
> It is really bugging me.
>
>
> Sincerely,
> David Mandel
> Chief Activist
> Portland Linux/Unix Group
> 1440 NE 59th
> Portland, Oregon 97213
> (360) 260-2066 at work
> (541) 730-5285 cell
>
> ======================================================================
> David Mandel, Product Manager http://www.MicroSharp.com
> Other Affiliations
> David Mandel http://www.DavidMandel.com
> Portland Linux/Unix Group http://pdxLinux.org
> LinuxFund http://LinuxFund.org
> ======================================================================
>
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
More information about the PLUG
mailing list