[PLUG] What caused damage to my /bin/ls file?

Mike De La Mater mikedela at ipns.com
Wed Feb 19 11:50:02 UTC 2003


Is there a possibility you've got a hardware problem? 

Although it sounds fishy that LS is the dead file, it might 
be worthwhile to check the HDD.

Mike


2/19/03 11:22:17 AM, Phil Tomson <ptkwt at aracnet.com> wrote:

>
>
>Sounds like you've been hacked.... Similar thing happened on 
one of my
>machines  running an old version of Mandrake back in 
December.  Check
>your logs.  Also check to see if any new mystery users have 
been added in
>the last few days.
>
>Phil
>
>On Wed, 19 Feb 2003, David Mandel wrote:
>
>>
>> Something strange happened and I can not explain it.
>> Any ideas?
>>
>> My system has a file /bin/ls
>> At 1:00 AM last night it ran the ls command as one would 
expect.
>> At 9:00 AM after a system reboot which probably isn't 
relevant it
>> gave me a "bash: /bin/ls: cannot execute binary file" 
error.
>>
>> I got out of copy of ls, which I will call goodls and ran:
>>
>>          goodls -l /bin/ls
>> which gave:
>>       -rwxr-xr-x    1 root     root        46784 Mar 23  
2002 /bin/ls
>> just as I would expect.  However, /bin/ls would not run.
>> So, I ran diff goodls /bin/ls which indicated that the 
files differ.
>> (They shouldn't differ.  goodls was a backup I made of 
/bin/ls a week ago.)
>> So I ran
>>         file /bin/ls
>> which gave:
>>        /bin/ls: Sendmail frozen configuration  - version 
&&      &      &      &     &
>> This is certainly NOT correct.  It should be an ELF 32-bit 
LSB executable.
>>
>> Next, I used od -bc to look for differences in ls and 
goodls.
>> The first 20k of the two files differ.  After that they 
are identical.
>>
>> All of this made me wonder if a cracker had gotten me, so 
I started
>> looking at other files and my log files and and other 
systems on the
>> same network, and so on.  I haven't found abnormalities so 
far, other
>> than the /bin/ls file on that one machine.
>>
>> Anyone have any guesses as to how that file got corupted?
>> It is really bugging me.
>>
>>
>>                                           Sincerely,
>>                                           David Mandel
>>                                           Chief Activist
>>                                           Portland 
Linux/Unix Group
>>                                           1440 NE 59th
>>                                           Portland, Oregon 
97213
>>                                           (360) 260-2066 
at work
>>                                           (541) 730-5285 
cell
>>
>>    
=============================================================
=========
>>    David Mandel, Product Manager       
http://www.MicroSharp.com
>>                           Other Affiliations
>>    David Mandel                        
http://www.DavidMandel.com
>>    Portland Linux/Unix Group           http://pdxLinux.org
>>    LinuxFund                           
http://LinuxFund.org
>>    
=============================================================
=========
>>
>>
>> _______________________________________________
>> PLUG mailing list
>> PLUG at lists.pdxlinux.org
>> http://lists.pdxlinux.org/mailman/listinfo/plug
>>
>
>
>_______________________________________________
>PLUG mailing list
>PLUG at lists.pdxlinux.org
>http://lists.pdxlinux.org/mailman/listinfo/plug
>
Mike De La Mater
mikedela at ipns.com
503-702-6749 







More information about the PLUG mailing list