Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Mon, 16 Jul 2001 22:28:49 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Mon, 16 Jul 2001 22:28:39 -0400 Received: from alcove.wittsend.com ([130.205.0.20]:13252 "EHLO alcove.wittsend.com") by vger.kernel.org with ESMTP id ; Mon, 16 Jul 2001 22:28:26 -0400 Date: Mon, 16 Jul 2001 22:22:15 -0400 From: "Michael H. Warfield" To: Alex Buell Cc: Alexander Viro , "Albert D. Cahalan" , Adam , Mailing List - Linux Kernel Subject: Re: Duplicate '..' in /lib Message-ID: <20010716222215.A4695@alcove.wittsend.com> Mail-Followup-To: Alex Buell , Alexander Viro , "Albert D. Cahalan" , Adam , Mailing List - Linux Kernel In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.2i In-Reply-To: ; from alex.buell@tahallah.demon.co.uk on Mon, Jul 16, 2001 at 07:30:01AM +0100 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 16, 2001 at 07:30:01AM +0100, Alex Buell wrote: > On Mon, 16 Jul 2001, Alexander Viro wrote: > > Alex, could you do strace of that? It would clarify the situation. > Unfortunately there's no working version of strace for the sparc32-linux > platform. :o( If anyone knows better, I'd be infinitely grateful - mail me > privately. > As it turns out, the extraneous '..' is actually a file. I did a rm ..*, > which left the original .. directory alone but removed the .. file. Did a > e2fsck on reboot, no problems found. That's like the old game of adventure when you wave the wand and it replies "Nothing obvious happens" just before you step into quicksand (if you waved it an even number of times). You got problems. There should be a reason for that file and it ain't good. It ain't good AT ALL. It's a stock "cracker" trick for hiding something (lame, I know). You need to go over that system with a fine toothed comb. Boot from secure media, like the LinuxCare BBC (Bootable Business Card), and sweep that sucker. You can use rpm to verify the packages to begin with... Don't trust ANY executable on the system itself. You HAVE to boot from other media. Some of these suckers have Linux kernel modules (we'll keep it a little on topic here) like Adore and KIS that hide processes, connections, services, and files. You can not trust your kernel if you may have been compromised. > -- > Hey, they *are* out to get you, but it's nothing personal. No joke... And I do believe they done got you. > http://www.tahallah.demon.co.uk Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/