Bill Campbell wrote: > On Mon, Mar 24, 2008, Dan Bongert wrote: >> Hello all: >> >> I have a couple CentOS 4 servers (all up-to-date) that are having strange >> command failures. I first noticed this with a perl script that uses lots of >> system calls. >> >> Basically, sometimes a command just won't run: >> >> thoth(52) /tmp> ls >> > ... >> thoth(66) /tmp> uname -a >> Linux thoth.ssc.wisc.edu 2.6.9-67.0.7.ELsmp #1 SMP Sat Mar 15 06:54:55 EDT >> 2008 i686 i686 i386 GNU/Linux >> >> Nothing in either dmesg or /var/log/messages seems to indicate any >> problems. It also doesn't seem to matter what the command is -- ls is the >> quickest test, but sshd will sometimes to fail to spawn children, etc. >> There aren't a large amount of processes on the machine either -- only 122 >> at the moment. > > There is a very good chance that the machine has been cracked, > and the system's /bin/ls routine replaced by one hacked to hide > the cracker's programs. ``rpm -V coreutils procps util-linux'' > may well show several critical programs changed. Everything seems OK there: thoth(96) /tmp> sudo rpm -V coreutils procps util-linux > You can also try running ``strace /bin/ls'' to see what is going on. Funnily enough, running strace will work just fine. Though, as I said, just about any command will fail -- 'ls' was just for testing purposes. > Bill > -- > INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC > URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way > FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 > > When I hear a man applauded by the mob I always feel a pang of pity > for him. All he has to do to be hissed is to live long enough. > -- H.L. Mencken, Minority Report > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos -- Dan Bongert dbongert at wisc.edu