[CentOS] Commands failing silently?

Mon Mar 24 19:55:46 UTC 2008
Bill Campbell <centos at celestial.com>

On Mon, Mar 24, 2008, Dan Bongert wrote:
>Hello all:
>I have a couple CentOS 4 servers (all up-to-date) that are having strange 
>command failures. I first noticed this with a perl script that uses lots of 
>system calls.
>Basically, sometimes a command just won't run:
>thoth(52) /tmp> ls
>thoth(66) /tmp> uname -a
>Linux thoth.ssc.wisc.edu 2.6.9-67.0.7.ELsmp #1 SMP Sat Mar 15 06:54:55 EDT 
>2008 i686 i686 i386 GNU/Linux
>Nothing in either dmesg or /var/log/messages seems to indicate any 
>problems. It also doesn't seem to matter what the command is -- ls is the 
>quickest test, but sshd will sometimes to fail to spawn children, etc. 
>There aren't a large amount of processes on the machine either -- only 122 
>at the moment.

There is a very good chance that the machine has been cracked,
and the system's /bin/ls routine replaced by one hacked to hide
the cracker's programs.  ``rpm -V coreutils procps util-linux''
may well show several critical programs changed.

You can also try running ``strace /bin/ls'' to see what is going on.

INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676

When I hear a man applauded by the mob I always feel a pang of pity
for him.  All he has to do to be hissed is to live long enough.
    -- H.L. Mencken, Minority Report