| Stephen Gran on 31 Jul 2006 20:19:44 -0000 |
|
On Mon, Jul 31, 2006 at 03:31:25PM -0400, George Gallen said: > Prior to our system chase this am... > > If you log on, the log on process seemed normal. but no matter which > directory you cd to, if you 'ls' you would get a Segment Fault if you > did a "ps -ef" it would only show you a 3 or so processes (even as > root) > > But If I ftp'd in, I could ls directories fine. > > After our aborted (but partially started) RH 8.0 upgrade, I found a > psdevtab file in my /tmp directory that was created around the time, I > first noticed the problem this am (when I logged in). > > Considering our system had been up for 480 something days, I figured a > reboot might have been in order, when was when all hell broke loose, > and it got stuck on the reboot... :( Could you have been rooted? http://www.cgsecurity.org/Articles/sotm29/analysis_rk.html seems to suggest /tmp/psdevtab may be associated with a trojaned ps binary. If the system has been up for over a year, it is sure to have had kernel vulnerabilities. Good luck. -- -------------------------------------------------------------------------- | Stephen Gran | Sometimes, too long is too long. -- | | steve@lobefin.net | Joe Crowe | | http://www.lobefin.net/~steve | | -------------------------------------------------------------------------- Attachment:
signature.asc ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|