Sorry if this is a bit OT but I hope it may be relevant. In the last week or two the "i" flag was set on /bin/ps, not by me. I changed it with chattr -i but now it is back again. Two people suggest this means I have been rooted. Do I have to reinstall everything at this time? Anthony -- ac@acampbell.org.uk || http://www.acampbell.org.uk using Linux GNU/Debian || for book reviews, electronic Windows-free zone || books and skeptical articles
John S. Andersen
2004-Mar-22 19:22 UTC
Re: "i" flag changed twice - could this be innocent?
On 22 Mar 2004 at 18:24, Anthony Campbell wrote:> Sorry if this is a bit OT but I hope it may be relevant. In the last > week or two the "i" flag was set on /bin/ps, not by me. I changed it > with chattr -i but now it is back again. Two people suggest thismeans> I have been rooted. Do I have to reinstall everything at this time? > > AnthonyWhich distro? I believe some Distros such as SuSE lock down an number of modules when you request a security setting of paranoid and this "MAY" be what is happening. In any event, compare size/date to the install source. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
Anthony Campbell
2004-Mar-22 19:58 UTC
Re: "i" flag changed twice - could this be innocent?
On 22 Mar 2004, John S. Andersen wrote:> On 22 Mar 2004 at 18:24, Anthony Campbell wrote: > > > Sorry if this is a bit OT but I hope it may be relevant. In the last > > week or two the "i" flag was set on /bin/ps, not by me. I changed it > > with chattr -i but now it is back again. Two people suggest this > means > > I have been rooted. Do I have to reinstall everything at this time? > > > > Anthony > > Which distro? > I believe some Distros such as SuSE lock down an number of > modules when you request a security setting of paranoid > and this "MAY" be what is happening. > > In any event, compare size/date to the install source. >This is Debian. I haven''t found it doing this before. The size and date of /bin/ps is the same as on another machine I have with a similar setup. -- ac@acampbell.org.uk || http://www.acampbell.org.uk using Linux GNU/Debian || for book reviews, electronic Windows-free zone || books and skeptical articles