Did you get a copy of chkrootkit and/or rkhunter and run them on this machine?
If so, let us know if it find a rootkit. If so, that's your problem. I think
you may have to ask on one of the linux system administration lists.
Which linux distribution and version did you indicate this is again?
On Sat, 16 Sep 2006, david.lao@sharpasia.com.mo wrote:
>
> is there any way to correct this problem? please help.
>
> On Fri, 15 Sep 2006, Michael Fuhr wrote:
>
>> On Thu, Sep 14, 2006 at 10:24:29PM -0700, Jeff Frost wrote:
>>> On Thu, 14 Sep 2006, Michael Fuhr wrote:
>>>> Can anybody else with a Linux box test the above command?
>>>
>>> On my FC4 machine running 2.6.16-1.2111_FC4:
>>>
>>> uid=26(postgres) gid=26(postgres) groups=26(postgres)
>>> context=user_u:system_r:unconfined_t
>>
>> That's what I'd expect. David's box appears to be behaving oddly,
>> which could be signs of tampering if he has indeed been hacked. If
>> that's happened then commands like "ls" and "ps" can't be trusted.
>>
>> Can anybody think of a way for David to be seeing the behavior he's
>> seeing that doesn't involve a tampered-with system?
>
> It's probably worthwhile to get a copy of chkrootkit and/or rkhunter and run
> them to see if there is a problem. Might also be worthwhile to run the ps and
> ls from the install CD to see if there are any suprising results.
>
>
--
Jeff Frost, Owner <jeff@frostconsultingllc.com>
Frost Consulting, LLC http://www.frostconsultingllc.com/
Phone: 650-780-7908 FAX: 650-649-1954
