- To: slug@xxxxxxxxxxx
- Subject: Re: [SLUG] Weird login behaviour
- From: amos@xxxxxxxxxxxxxxxxxx
- Date: Wed, 23 Feb 2005 13:35:35 +1100
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=d5PChga9JYr/BqvPXKy+rrp4u/SlbxMEev1VP9C1zXTFOaA4xpVpSlHXpW9reFrXKS/v+4ONh5JWvLaEfXrDC2vPpAFPHVEyokIriksKRFnz4sVJFJ74jWSpehFtqheARgPGyO7LrKyw3a3J7yscYazdk1SeY5FaUz61AxCt7lw=
On Wed, 23 Feb 2005 13:08:30 +1100, Mike MacCana > That said, even if
you don't have the second item, try anyway
> - if it says that, say, netstat has a bad MD5, then you know its bad
> - if it doesn't, then be aware there still could be a chance that the
> file has been trojaned.
Do you realize that this is a completely useless test?
Whatever the outcome of the test is - you will (or at least *should*) keep
suspecting that binary.
("If you are going to do the same thing whatever the answer is given to
a question, don't bother to ask the question" - paraphrasing an old verb).
>From the error messages reported by the original poster I suspect that:
1. Something like a very basic shared library or dynamic loader or a shell
was tempered with, the tempering was done badly and causes the
command-line to be screwed up.
2. He better backup his data (no programs, just data) and re-install the system
from scratch.
The list of suid programs he listed, BTW, look reasonable to me and does not
indicate a break in by itself.
Cheers,
--Amos
SLUG Mailing List Archives