[NCLUG] error message

Eric Dahlman dahlman at cs.colostate.edu
Mon Aug 6 16:30:12 MDT 2001


Bryan Stillwell <bryan at bokeoa.com> writes:

> >[root at anvar kmblehm]# ls -l /usr/bin/top
> >-r-sr-xr-x   1 518      518        266140 Mar  7  2000 /usr/bin/top
> >[root at anvar kmblehm]# chmod 555 /usr/bin/top
> >chmod: /usr/bin/top: Operation not permitted
> 
> Well, that's rather unusual.  Perhaps your root filesystem is readonly
> or the file is set immutable.  Also why is the file ownership 518.518?
> 
[snip]
> 
> BTW, top is normally owned by root and set non-suid in my experiences,
> so you're "ls" should look like:
> 
> -rwxr-xr-x    1 root     root        35888 Dec 10  2000 /usr/bin/top
> 
[snip]

Looking at the weird permissions and the fact that the executable is
an order of magnitude larger than yours or mine, my first suspicion
would be that the machine has been compromised and that this is part
of a root kit gone wrong.  Programs like ps and top are often replaced
with versions which lie about the state of the system to mask the
presence of the the cracker's daemon programs.

I found this out first hand a couple of years ago when I ran netstat
to find out what was making my DSL modem blink so much.  Lo and behold
my machine was diligently trying to crack other machines and
reporting back to Israel via IRC.  They has neglected to place a faked
netstat on my machine so I could see the TCP connections, a little
digging then turned up the rest of the damage.

-Eric



More information about the NCLUG mailing list