[PLUG] What caused damage to my /bin/ls file?
David Mandel
dmandel at pdxLinux.org
Wed Feb 19 11:36:02 UTC 2003
I forgot to mention, that this system was not configured for security.
It has lots of services on it, but most of them are turned off.
I believe the only routinely open ports are:
Port State Service
22/tcp open ssh
25/tcp open smtp
515/tcp open printer
Others are opened when needed.
The system is also protected by an external firewall most of the
time and this firewall is moderately tight, altho I'm pretty free in
letting ssh traffic in. Last night was an exception. The firewall
was configured to stop all incoming traffic including ssh.
Dave Mandel
On Wed, 19 Feb 2003, David Mandel wrote:
>
> Something strange happened and I can not explain it.
> Any ideas?
>
> My system has a file /bin/ls
> At 1:00 AM last night it ran the ls command as one would expect.
> At 9:00 AM after a system reboot which probably isn't relevant it
> gave me a "bash: /bin/ls: cannot execute binary file" error.
>
> I got out of copy of ls, which I will call goodls and ran:
>
> goodls -l /bin/ls
> which gave:
> -rwxr-xr-x 1 root root 46784 Mar 23 2002 /bin/ls
> just as I would expect. However, /bin/ls would not run.
> So, I ran diff goodls /bin/ls which indicated that the files differ.
> (They shouldn't differ. goodls was a backup I made of /bin/ls a week ago.)
> So I ran
> file /bin/ls
> which gave:
> /bin/ls: Sendmail frozen configuration - version && & & & &
> This is certainly NOT correct. It should be an ELF 32-bit LSB executable.
>
> Next, I used od -bc to look for differences in ls and goodls.
> The first 20k of the two files differ. After that they are identical.
>
> All of this made me wonder if a cracker had gotten me, so I started
> looking at other files and my log files and and other systems on the
> same network, and so on. I haven't found abnormalities so far, other
> than the /bin/ls file on that one machine.
>
> Anyone have any guesses as to how that file got corupted?
> It is really bugging me.
>
>
> Sincerely,
> David Mandel
> Chief Activist
> Portland Linux/Unix Group
> 1440 NE 59th
> Portland, Oregon 97213
> (360) 260-2066 at work
> (541) 730-5285 cell
>
> ======================================================================
> David Mandel, Product Manager http://www.MicroSharp.com
> Other Affiliations
> David Mandel http://www.DavidMandel.com
> Portland Linux/Unix Group http://pdxLinux.org
> LinuxFund http://LinuxFund.org
> ======================================================================
>
More information about the PLUG
mailing list