binaries change - hack or bug??

[Zahier]

Hi Techies.

I wonder if someone else has experienced this. I'm running Suse 9. In my /bin directory, the binaries listed below:
cpio,gawk, zsh, sed, ed, fillup, nisdomainname, ping, ping6, ypdomainname, initviocons, lsmod, netstat, ash, ect, sash, ash.static, basename, mktemp.
all have there timestamp changed every 3 and then 15 minutes. Consistently. Some of the binaries, (like ping and awk) gives segmentation fault when I try to execute them.
I have already replaced these with clean binaries from another box, but then these are "changed every 3 and 15 minutes again.
I'm wondering whether it's a bug. I checked a RedHat installation and found these same binaries' timestamp also changed, but only daily at 16:00. I find nothing in the cron that could cause this. I ran a `ps -e f` every second to "catch" the culprit but came up with nothing.
I suspected the mktemp command which is related to cron, but cannot figure it out. At about the same time my files change, this process is active when I do a ps:
mktemp -d /tmp/run-crons.XXXXXX

Any ideas?

 

[stefanwagner]

Do they change in sice or content too?
I would make some md5sums, to check for content-change.

seeking a job as java-programmer in Berlin:

http://home.arcor.de/hirnstrom/bewerbung

 

[thedaver]

First, it is extraordinarily likely that something "ungood" is happening... binaries should not be changing time and going bad..

Second, try reinstalling one of them from a known good .RPM and add the +i immutable bit using chattr command.

If this box is connected to the Internet, good security practice would be to take it offline immediately - do so via software and physically by pulling the network wire.

In these cases it it appropriate to suspect a cracked machine until you can prove otherwise.

You should also look into "check root kit" on google.

http://www.surfinbox.com/loans/

 

[sedj]

I also run SuSE 9, and I do not see this behaviour. Something odd is going on.

If I were you, I would, as thedaver said, pull the network cable. If they stop changing timestamp, then you know its a "hacker" shelling onto the box. If they keep changing, it must be a rogue programme.

Either way, I'd rebuild the box and install something like tripwire to catch any odd behaviour.

--------------------------------------------------
Free Database Connection Pooling Software

http://www.primrose.org.uk

 

[ericbrunson]

If they keep changing it could still be some cracker program that keeps exploiting them. I had a box rooted a few years ago and they had patched ps and top to hide the trojan.

Calulate the MD5 checksum and then compare it to a known good copy. If they are different, suspect the worst, backup any data (no executables) and wipe the box.

 

[stefanwagner]

you can use lsof to check, which program opens special file.

If no privat or secret data is in danger, I would try to find out what's going on, and where it came from, before wiping.

What happens, when you change your suspicious /bin -files

chmod a-w cpio

.

Can it be an autoupdater, together with a wrong date?

seeking a job as java-programmer in Berlin:

http://home.arcor.de/hirnstrom/bewerbung

 

[Zahier]

Thanks for all the tips guys,

The Linux administrator ran a repair option from the SUSE installation disks and the prob seems to have disappeared. I still don't know what the cause was though.

 

[thedaver]

FIND OUT THE CAUSE!!! Don't just put the box back online without first understanding what the issue was. If a cracker figured out how to get access to your box once, then you're simply putting it back up again with (most likely) the same set of exposures!!!

Be smart, don't contribute to network abuse and spam!

http://www.surfinbox.com/loans/