> > I tried to update my debian box which is running Potato. When libc6 tries > to > > install it fails giving an error about not being able to symlink > libnss_db.so.2. > > I took a look at libnss_db.so.2 and things are very odd. A 'ls -la' gives
One of the more knowledgeable hackers Ive had on my honeypot modified some library files and made them undelete-able. Even as root. Drove me nuts until I found a .history file he left behind (ok, not so smart). One of the commands he did was chatter +i filename So I did a chatter -i filename and that fixed it. The chattr comman isnt very well documented but I feel its like other command stha tare no longer well documented because they are considered a bad idea, like rsh and suid tricks. By the way, to the first poster I recommend they do a few hack checks like ls -blart /bin ls -blart /sbin ls -blart /usr/bin (can you explain the change dates on the files at the end, especialy if its files like login, ls, ps, find, netstat) and do a file /dev/* |grep -i asc do any of the files say they are ascii or script files? also try doing ls -blart /dev ls -blart /usr to see if any new directorys with odd names show up such as ... or more than one directory named . or .. Better safe than... well, used as a dumb terminal :) Gandalf Parker
