[PLUG] What caused damage to my /bin/ls file?

David Mandel dmandel at pdxLinux.org
Wed Feb 19 11:36:02 UTC 2003


I forgot to mention, that this system was not configured for security.
It has lots of services on it, but most of them are turned off.
I believe the only routinely open ports are:

         Port       State       Service
         22/tcp     open        ssh
         25/tcp     open        smtp
         515/tcp    open        printer

Others are opened when needed.

The system is also protected by an external firewall most of the
time and this firewall is moderately tight, altho I'm pretty free in
letting ssh traffic in.  Last night was an exception.  The firewall
was configured to stop all incoming traffic including ssh.

                                               Dave Mandel


On Wed, 19 Feb 2003, David Mandel wrote:

>
> Something strange happened and I can not explain it.
> Any ideas?
>
> My system has a file /bin/ls
> At 1:00 AM last night it ran the ls command as one would expect.
> At 9:00 AM after a system reboot which probably isn't relevant it
> gave me a "bash: /bin/ls: cannot execute binary file" error.
>
> I got out of copy of ls, which I will call goodls and ran:
>
>          goodls -l /bin/ls
> which gave:
>       -rwxr-xr-x    1 root     root        46784 Mar 23  2002 /bin/ls
> just as I would expect.  However, /bin/ls would not run.
> So, I ran diff goodls /bin/ls which indicated that the files differ.
> (They shouldn't differ.  goodls was a backup I made of /bin/ls a week ago.)
> So I ran
>         file /bin/ls
> which gave:
>        /bin/ls: Sendmail frozen configuration  - version &&      &      &      &     &
> This is certainly NOT correct.  It should be an ELF 32-bit LSB executable.
>
> Next, I used od -bc to look for differences in ls and goodls.
> The first 20k of the two files differ.  After that they are identical.
>
> All of this made me wonder if a cracker had gotten me, so I started
> looking at other files and my log files and and other systems on the
> same network, and so on.  I haven't found abnormalities so far, other
> than the /bin/ls file on that one machine.
>
> Anyone have any guesses as to how that file got corupted?
> It is really bugging me.
>
>
>                                           Sincerely,
>                                           David Mandel
>                                           Chief Activist
>                                           Portland Linux/Unix Group
>                                           1440 NE 59th
>                                           Portland, Oregon 97213
>                                           (360) 260-2066 at work
>                                           (541) 730-5285 cell
>
>    ======================================================================
>    David Mandel, Product Manager       http://www.MicroSharp.com
>                           Other Affiliations
>    David Mandel                        http://www.DavidMandel.com
>    Portland Linux/Unix Group           http://pdxLinux.org
>    LinuxFund                           http://LinuxFund.org
>    ======================================================================
>





More information about the PLUG mailing list