On 23 Mar 2004, Anthony Campbell wrote: > On 23 Mar 2004, Kevin Mark wrote: > > On Tue, Mar 23, 2004 at 08:52:35AM +0000, Anthony Campbell wrote: > > > On 23 Mar 2004, Mark McRitchie wrote: > > > > > > > > > > > > > -----Original Message----- > > > > > From: Anthony Campbell [mailto:[EMAIL PROTECTED] > > > > > Sent: 22 March 2004 20:07 > > > > > > > <snip> > > > because a routine upgrade of procps failed because it could not make a > > > link to /bin/ps. I eventually found that it was due to the "i" flag on > > > that file. I removed the flag and it then worked. However, last night I > > > found that the flag had returned. I removed it again. > > > > > > Today, I found that upgrading procps failed again, this time because it > > > was unable to create /bin/kill. But /bin/kill does not have the "i" flag > > > set. So it definitely seems that something strange is happening. > > > > > > AC > > Hi Anthony, > > Are any script run in cron jobs? > > Are there any pacakges installed that are related to > > security/administration? Check 'dpkg -l'. Maybe you would like a file > > alteration program like fam installed? > > Just a thought. > > -Kev > > Quite a few things are run as cron. mainly creating backups nightly and > trimming log files. > > I just looked at fam; it seems to want to install portmap, which I've > removed for security reasons (ha ha!). > > AC > >
A little later: I just found that the "i" flag had been set on /bin rather than on a particular file. I can't imagine any way this could not be malicious. Anyone disagree? A new copy of chkroot did not show anything. If I reinstall, can I preserve my /home and/or /usr/local files? I do have a backup for /home which probably antedates the problem but I'd like to save the recent stuff if possible. -- [EMAIL PROTECTED] || http://www.acampbell.org.uk using Linux GNU/Debian || for book reviews, electronic Windows-free zone || books and skeptical articles -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]