[PLUG] What caused damage to my /bin/ls file?

Phil Tomson ptkwt at aracnet.com
Wed Feb 19 11:23:01 UTC 2003 

Sounds like you've been hacked.... Similar thing happened on one of my
machines  running an old version of Mandrake back in December.  Check
your logs.  Also check to see if any new mystery users have been added in
the last few days.

Phil

On Wed, 19 Feb 2003, David Mandel wrote:

>
> Something strange happened and I can not explain it.
> Any ideas?
>
> My system has a file /bin/ls
> At 1:00 AM last night it ran the ls command as one would expect.
> At 9:00 AM after a system reboot which probably isn't relevant it
> gave me a "bash: /bin/ls: cannot execute binary file" error.
>
> I got out of copy of ls, which I will call goodls and ran:
>
>          goodls -l /bin/ls
> which gave:
>       -rwxr-xr-x    1 root     root        46784 Mar 23  2002 /bin/ls
> just as I would expect.  However, /bin/ls would not run.
> So, I ran diff goodls /bin/ls which indicated that the files differ.
> (They shouldn't differ.  goodls was a backup I made of /bin/ls a week ago.)
> So I ran
>         file /bin/ls
> which gave:
>        /bin/ls: Sendmail frozen configuration  - version &&      &      &      &     &
> This is certainly NOT correct.  It should be an ELF 32-bit LSB executable.
>
> Next, I used od -bc to look for differences in ls and goodls.
> The first 20k of the two files differ.  After that they are identical.
>
> All of this made me wonder if a cracker had gotten me, so I started
> looking at other files and my log files and and other systems on the
> same network, and so on.  I haven't found abnormalities so far, other
> than the /bin/ls file on that one machine.
>
> Anyone have any guesses as to how that file got corupted?
> It is really bugging me.
>
>
>                                           Sincerely,
>                                           David Mandel
>                                           Chief Activist
>                                           Portland Linux/Unix Group
>                                           1440 NE 59th
>                                           Portland, Oregon 97213
>                                           (360) 260-2066 at work
>                                           (541) 730-5285 cell
>
>    ======================================================================
>    David Mandel, Product Manager       http://www.MicroSharp.com
>                           Other Affiliations
>    David Mandel                        http://www.DavidMandel.com
>    Portland Linux/Unix Group           http://pdxLinux.org
>    LinuxFund                           http://LinuxFund.org
>    ======================================================================
>
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>

More information about the PLUG mailing list