Hi,
Looks almost same here:
Yes, but without those lines
Download a virusscanner and scan your HDD.
On my Computer it was the same effect, it was this virus Linux.OSF.8759 .
Look here :
http://www.viruslibrary.com/virusinfo/Linux.OSF.8759.htm
cu thomas
open("/proc/uptime", O_RDONLY) = 3
open("/proc/4215/exe", O_RDONLY) = 3
This is in all binary's i have checked (echo, ifconfig, ...)
The gzip thing looks really weird. Does chkrootkit show any evidents?
maybe gzip got broken somehow.
No, chrootkit doesn't find anything. I got this some weeks ago, but couldn't
find
anything on the box, so i thought it was just broken an re-installed. But
the same
box was hit again this week and an other one to, which got also all websites
defaced tonight.
And again, the only thing i could find is gzip not working.
I would build some checksum database of /bin,/sbin,/usr/bin,/usr/sbin off
a
definitely not infected machine (using tripwire or aide), burn the
database(s) and the binaries to check/build them on a CDROM and compare
that
with the weird system's binaries.
I checked with md5sum, the binarys differ to other machines who look clean.
Very strange: if i ftp the 'gzip' Binary from a clean Machine to the
'infected' it is
then changed to the same md5sum that the 'gzip' binary has on the 'infected'
Machine.
_really_ check if something seriuos has changed without taking the
machines
in question off (and check them with e.g. chkrootkit from a knoppix cd)
I already did this. I bootet from the woody install-cd and did a chroot to
the system.
the effects are still there, so this should be nothing running in the
kernel.
I reinstalled the Machines (got the old disks here for further research) so
this is not urgent.
I just need to know what happened, because i would like the other boxes here
to stay clean ;-)
--
Thomas Braun WESTEND GmbH | Internet-Business-Provider
Technik CISCO Systems Partner - Authorized Reseller
Lütticher Straße 10 Tel 0241/701333-17
[EMAIL PROTECTED] D-52064 Aachen Fax 0241/911879
