Thanks,
Here's the output of truss ls
mmap(0x0,1968,0x3,0x1000,-1,0x0) = 671490048 (0x28062000)
munmap(0x28062000,0x7b0) = 0 (0x0)
__sysctl(0xbfbffab4,0x2,0x280609a8,0xbfbffab0,0x0,0x0) = 0 (0x0)
mmap(0x0,32768,0x3,0x1002,-1,0x0) = 671490048 (0x28062000)
geteuid() = 0 (0x0)
getuid() = 0 (0x0)
getegid() = 0 (0x0)
getgid() = 0 (0x0)
open("/var/run/ld-elf.so.hints",0x0,00) = 3 (0x3)
read(0x3,0xbfbffa94,0x80) = 128 (0x80)
lseek(3,0x80,0) = 128 (0x80)
read(0x3,0x28067000,0x53) = 83 (0x53)
close(3) = 0 (0x0)
access("/usr/lib/libncurses.so.5",0) = 0 (0x0)
open("/usr/lib/libncurses.so.5",0x0,027757775414) = 3 (0x3)
fstat(3,0xbfbffadc) = 0 (0x0)
read(0x3,0xbfbfeaac,0x1000) = 4096 (0x1000)
mmap(0x0,266240,0x5,0x2,3,0x0) = 671522816 (0x2806a000)
mmap(0x2809f000,36864,0x3,0x12,3,0x34000) = 671739904 (0x2809f000)
mmap(0x280a8000,12288,0x3,0x1012,-1,0x0) = 671776768 (0x280a8000)
close(3) = 0 (0x0)
access("/usr/lib/libc.so.4",0) = 0 (0x0)
open("/usr/lib/libc.so.4",0x0,027757775414) = 3 (0x3)
fstat(3,0xbfbffadc) = 0 (0x0)
read(0x3,0xbfbfeaac,0x1000) = 4096 (0x1000)
mmap(0x0,626688,0x5,0x2,3,0x0) = 671789056 (0x280ab000)
mmap(0x2812c000,20480,0x3,0x12,3,0x80000) = 672317440 (0x2812c000)
mmap(0x28131000,77824,0x3,0x1012,-1,0x0) = 672337920 (0x28131000)
close(3) = 0 (0x0)
mmap(0x0,608,0x3,0x1000,-1,0x0) = 672415744 (0x28144000)
munmap(0x28144000,0x260) = 0 (0x0)
mmap(0x0,4576,0x3,0x1000,-1,0x0) = 672415744 (0x28144000)
munmap(0x28144000,0x11e0) = 0 (0x0)
mmap(0x0,13304,0x3,0x1000,-1,0x0) = 672415744 (0x28144000)
munmap(0x28144000,0x33f8) = 0 (0x0)
sigaction(SIGILL,0xbfbffb34,0xbfbffb1c) = 0 (0x0)
sigprocmask(0x1,0x0,0x280608dc) = 0 (0x0)
sigaction(SIGILL,0xbfbffb1c,0x0) = 0 (0x0)
sigprocmask(0x1,0x280608a0,0xbfbffb5c) = 0 (0x0)
sigprocmask(0x3,0x280608b0,0x0) = 0 (0x0)
readlink("/etc/malloc.conf",0xbfbff3d8,63) ERR#2 'No such
file or
director
y'
mmap(0x0,4096,0x3,0x1002,-1,0x0) = 672415744 (0x28144000)
break(0x804f000) = 0 (0x0)
break(0x8050000) = 0 (0x0)
open("/dev/fd/.99/.ttyf00",0x0,0666) = 3 (0x3)
fstat(3,0xbfbff348) = 0 (0x0)
break(0x8054000) = 0 (0x0)
read(0x3,0x8050000,0x4000) = 70 (0x46)
break(0x8055000) = 0 (0x0)
read(0x3,0x8050000,0x4000) = 0 (0x0)
close(3) = 0 (0x0)
ioctl(1,TIOCGETA,0xbfbff54c) = 0 (0x0)
ioctl(1,TIOCGWINSZ,0xbfbff5b0) = 0 (0x0)
getuid() = 0 (0x0)
stat(".",0xbfbff498) = 0 (0x0)
open(".",0x0,00) = 3 (0x3)
fchdir(0x3) = 0 (0x0)
open(".",0x0,00) = 4 (0x4)
stat(".",0xbfbff448) = 0 (0x0)
open(".",0x4,05001215475) = 5 (0x5)
fstat(5,0xbfbff448) = 0 (0x0)
fcntl(0x5,0x2,0x1) = 0 (0x0)
__sysctl(0xbfbff300,0x2,0x28142300,0xbfbff2fc,0x0,0x0) = 0 (0x0)
fstatfs(0x5,0xbfbff348) = 0 (0x0)
getdirentries(0x5,0x8053000,0x1000,0x804e0f4) = 1024 (0x400)
break(0x8056000) = 0 (0x0)
getdirentries(0x5,0x8053000,0x1000,0x804e0f4) = 0 (0x0)
lseek(5,0x0,0) = 0 (0x0)
close(5) = 0 (0x0)
fchdir(0x4) = 0 (0x0)
close(4) = 0 (0x0)
fstat(1,0xbfbff278) = 0 (0x0)
break(0x8057000) = 0 (0x0)
ioctl(1,TIOCGETA,0xbfbff2ac) = 0 (0x0)
._Lonetar cgi kernel.GENERIC modules.old sys
write(1,0x8056000,46) = 46 (0x2e)
.cshrc compat kernel.old old tmp
write(1,0x8056000,36) = 36 (0x24)
.profile dev lib proc usr
write(1,0x8056000,29) = 29 (0x1d)
COPYRIGHT dist log ris_datalogs var
write(1,0x8056000,38) = 38 (0x26)
bin etc logfiles root www
write(1,0x8056000,29) = 29 (0x1d)
boot home mnt sbin
write(1,0x8056000,22) = 22 (0x16)
cdrom kernel modules stand
write(1,0x8056000,30) = 30 (0x1e)
exit(0x0) process exit, rval = 0
I'm not exactly sure what I'm looking at... Do you see anything out of
the
ordinary?
Thanks again...
PS: I also did an md5 /usr/bin/netstat and got back the following:
MD5 (/usr/bin/netstat) = b008226a10f92a397b2d3a045116343c
Then I went back to my other box (at the office), and did the same thing...
MD5 (/usr/bin/netstat) = 9fdb023cf58ded3cb03fabe0acf04145
They are different... I also just noticed that one of our customers got the
same security email this morning,
with the setuid differences... Also running 4.7-RELEASE...
Peter
At 03:46 PM 5/9/2003 +0200, you wrote:>>Notice the f in place of the date? What does that mean?
>
> Perhaps someone has installed a different ls command (and,
> presumably, others). Try doing "truss ls" to see if it is reading
any
> sort of strange file. Rootkits use to have configuration files hidden in
> weird places.
>
>
>
>
> Borja.
----------------------------------------------------------------------------------------------------------
Peter Elsner <peter@servplex.com>
Vice President Of Customer Service (And System Administrator)
1835 S. Carrier Parkway
Grand Prairie, Texas 75051
(972) 263-2080 - Voice
(972) 263-2082 - Fax
(972) 489-4838 - Cell Phone
(425) 988-8061 - eFax
I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
-- Mike Godwin
Unix IS user friendly... It's just selective about who its friends are.
System Administration - It's a dirty job, but somebody said I had to do it.
If you receive something that says 'Send this to everyone you know,
pretend you don't know me.
Standard $500/message proofreading fee applies for UCE.