On Fri, Dec 19, 2003 at 09:29:46AM -0600, Kent West wrote:
What are the permissions on './bin/login'?-rw-rw-rw- 1 root root 0 Oct 9 09:36 /bin/login
I think I see the problem here. It's empty. :-} So getty is timing out. However if I try to move this file it gives a permission denied:
root:/bin# mv login login-tmp mv: cannot move `login' to `login-tmp': Operation not permitted root:~# chmod 644 /bin/login chmod: changing permissions of `/bin/login': Operation not permitted root:~# rm /bin/login remove write-protected regular empty file `/bin/login'? n
I can copy it, and move other files in the same directory. It is presumably this problem that is preventing it's upgrade. I suppose I could try dropping another /bin/login on top of it, or removing it, but I'm quite curious now. However, I don't know enough about filesystems to know what has happened.
root:~# stat /bin/login
File: `/bin/login'
Size: 0 Blocks: 0 IO Block: 4096 Regular File
Device: 30ah/778d Inode: 17894 Links: 1
Access: (0666/-rw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2003-10-09 09:36:03.000000000 +1000
Modify: 2003-10-09 09:36:03.000000000 +1000
Change: 2003-10-09 09:36:03.000000000 +1000
Nothing else is playing up, the system seems fine apart from this.
Thanks very much for your advice.
Patrick Lesslie
Here's mine:
enjae[westk]:/home/westk> ls -l /bin/login -rwsr-xr-x 1 root root 35512 Oct 25 14:53 /bin/login
Sat Dec 20 04:59:59 ----------- enjae[westk]:/home/westk> stat /bin/login File: `/bin/login' Size: 35512 Blocks: 72 IO Block: 4096 regular file Device: 301h/769d Inode: 30150 Links: 1 Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2003-12-20 00:34:35.000000000 -0600 Modify: 2003-10-25 14:53:38.000000000 -0500 Change: 2003-10-28 08:50:47.000000000 -0600
My first thought is "compromise". I don't know enough about security forensics to know how to double-check if you've been cracked, but I'd look into chkrootkit (or something similar) and my logs.
-- Kent
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]