Hello, > Did you copy the gzip binary under the gzip name, or under another, and > of course, the machine was "possibly infected" at the time?
Uh, i got so much stuff in my mind today, it's hard to remember ;-) I think tried to ftp' the clean gzip binary named as 'gzip' and 'foo', both where then infected. > If so, it would tend to indicate a similar situation to what I had, on a > non-debian box, where a certain list of binaries were hijacked through > ld_preload tricks and uninfected copies were on the file system, but > infection wrappers in /proc were run before each one... Well, i will put the 'infected' disc into an other clean box at the weekend and see what i can find...
