[lug] Interesting Crash Report
nate at natetech.com
Wed Mar 21 10:49:15 MST 2001
Reinstall and PATCH the box this time! :-)
Never ever ever ever run an unpatched version of Linux on a production
machine. (And yes, your desktop counts as a production machine!)
In this case, shutting down the "r"services completely and removing them
may have kept someone from being malicious with those binaries, but
they'd have probably found something else to poke at. Lots of people
load up named who don't need a nameserver on their machine and then get
cracked because they're running BIND 8.2.2 or previous. (8.2.3-REL is
the only one in the 8.x.x series that's safe right now.)
So the lesson is: Patch at load time and patch often after that.
One of the places where a KRUD subscription or Debian's apt-get upgrade
can be nice... or you can pay RH to use up2date. :-)
> Well, I do not now if what follows really is interesting; but it has
> consumed my time quite effectively. At one point it occurred to me
> that the damage might be due to a virus.
> I turn off my machine at the end of each day, and re-boot the next
> time I want to use it; I am using RedHat 6.2. Last evening I shut
> down, essentially normally; although I did notice that statd failed,
> whatever that means, and I was having some problem with communicating
> with my ISP immediately before shutting down.
> This morning I could not log in. The software came up properly to the
> point of the login prompt; but that was it; thereafter I could not log
> in as anybody; there are three accounts, including root, on my
> machine. I did not try booting from a floppy because the machine had
> I have a "spare" installation of Linux on another disc, so I was able
> to get going. I poked around looking for files that were altered
> yesterday; and, sure enough, /bin/login was dated Mar 19 and the ls
> entry looked different from that in the spare Linux. I copied over
> the spare, re-booted, and everything appears to be fine.
> Here is the original login entry (the .orig I added before doing the
> copy), I do not have user 500, nor group 500:
> -r-sr-xr-x 1 500 500 20452 Mar 19 22:43 login.orig*
> And here is the copied entry, that works; it is dated Mar 7 2000 in
> the spare Linux.
> -rwxr-xr-x 1 root root 20452 Mar 20 22:08 login*
> Any comments? What does the stat daemon do?
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG