Re: Break-in attempt from 203.197.38.247

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Tue, 22 Aug 2000 14:20:08 +0200, Cronje Schalk <schalkc () NTABA CO ZA>  said:

> What is really strange is a replacement of certain files
>
> ?---------  14559 root     46449    4294967295 Mar 27 21:57 bashrc
> ?---------  14559 root     46449    4294967295 Mar 27 21:57 info-dir
> ?---------  14138 root     8567     4294967295 May 13  1999 named.boot
> ?---------  14694 root     2584     4294967295 Jul  7 18:49 rpc
> ?---------  14441 root     12171    4294967295 Aug 17 17:02 shells
> ?---------  14099 root     8165     4294967295 Aug 21 15:28 termcap
>
> The dates are strange, but then so is most of the file info.

You may wish to re-try the 'ls' with a known good 'ls' binary retrieved
off the installation CD or someplace.   If THAT produces weird errors,
you're looking at either a disk failure (note the ? for file types -
that part of the inode is *not* changable via chmod() system calls)
or a *really* talented hacker who's playing twiddle-the-bits with the
raw filesystem blocks.

On the other hand, it may just be a rootkitted /bin/ls that's trying to
hide (poorly) the fact that some files were modified.  If a known good
/bin/ls gets it right, that's your explanation.
-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description: