Steve Siegfried wrote: > As an aside: 99.99% of Linux programs don't mess with file attribute bits. > The only time I've seen these attributes modified in > a non-orange-book-secure (i.e.: SELinux) environment > was done as part of a script-kiddie break-in/root-hack. > Because of this, I'm gonna ask: are you sure you're not > being hacked even as you try and resolve this? Suggest at a > minimum, you pick up a copy of chkrootkit available through > http://www.chkrootkit.org and run it. Firstly, chkrootkit is in extras, although it's more trustworthy if you run it from "known good" media (e.g. a CD). (It is possible for a rootkit to modify the kernel so that everything looks good to user-space). Secondly, Rolf's problems could also come from a corrupted filesystem. I'd recommend booting from a rescue CD, *not* mounting any filesystems, and fscking the filesystem in question. Lastly, although 99.9% of Linux *programs* don't mess with file attribute bits, it's a lot more common at the distribution level (and I seem to remember stuff like Bastille does it too)[1]. But the set of attributes that have been set doesn't look right for that. Hope this helps, James. [1] For example, setting immutable bits on key system binaries to make rootkits' lives that much harder. -- E-mail: james@ | I'll be more enthusiastic about encouraging thinking aprilcottage.co.uk | outside the box when there's evidence of any thinking | going on inside it. | -- Terry Pratchett
