-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 01 February 2004 10:07 pm, Thomas Jones wrote: - ------------snip---------------
A couple notes:
Have you checked your system logs?
Didn't see anything terribly unusual (things in the log before the installation date look pretty much like they do after the install date) but I don't nescessarily know what I'm looking for.
Did you have wither an tripwire or AIDE database prior?
Niether, I have not gotten that far with my understanding of linux (I'm still trying figure out how to set up Samba between my 2 machines.) The Amiga I had before moving to linux didn't really have such tools available.
Check for deleted(possibly trojaned) executables via:
# file /proc/[0-9]*/exe|grep '(deleted)'
No result from this command
Also extract the binary version from the installation CD of ps,ls,who ----- commonly trojaned executables onto a floppy from another system. Write protect it!
Then perform a compare of the valid(floppy) version against the possibly trojaned executable via:
# cmp /media/floppy/valid_exec /bin/trojan_exec
This will do a byte-by-byte comparison of both executables.
I'll give it a try. It sounds like Arjen, Ivan and Richard have done quite alot of examination of the problem file.
You can search for the debugging symbols from the "trojaned" executable via:
# nm trojan_exec | more
I've got the "Good" previous versions of the command back on my machine currently so the output is what would be expected
Also check for any ascii text in the executable via:
# strings -a trojan_exec | more
Thanks for the ideas Thomas, I'll file those commands away for future reference. ps. I sent some info from this thread to the suse-security list this afternoon as Gar and Alex suggested. I'll pass along any definitive results that come from that. See ya - -- dh -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAHZ4lBwgxlylUsJARAqTXAJ4gB3Y6LwK22pSogDoHsER+JK4loACeM03m sHEbLe2i5mqf6Q5kp556zls= =hcQ4 -----END PGP SIGNATURE-----