ls forgot -h option / wrong ownership

Hi,

I'm experiencing some extremely weird problems.

It started with 'ls -h' giving me
ls: invalid option -- h
Try `ls --help' for more information.

Also, 'ls --color' results in
ls: unrecognized prefix: do
ls: unparsable value for LS_COLORS environment variable
prepended to the normal output.

Furthermore, when I type 'ps', I get
Unknown HZ value! (39) Assume 100.

That is also message I suddenly get during boot (together with something
about "unknown gnu long option" (I don't know which program exactly
prints these error messages.

On further investigation, I found out that some files in /usr/bin have
invalid ownership. They are supposed to be root:root, but instead they
have 122:114

This started just happening on a running system. No special action
taken, no updates or anything like that.

What is going on here? How can this be fixed?

Thanks,
Michael

Michael Goerz wrote:
> Hi,
>
> I'm experiencing some extremely weird problems.
>
> It started with 'ls -h' giving me
> ls: invalid option -- h
> Try `ls --help' for more information.
>
> Also, 'ls --color' results in
> ls: unrecognized prefix: do
> ls: unparsable value for LS_COLORS environment variable
> prepended to the normal output.
>
> Furthermore, when I type 'ps', I get
> Unknown HZ value! (39) Assume 100.
>
> That is also message I suddenly get during boot (together with something
> about "unknown gnu long option" (I don't know which program exactly
> prints these error messages.
>
> On further investigation, I found out that some files in /usr/bin have
> invalid ownership. They are supposed to be root:root, but instead they
> have 122:114
ls and ps in /usr/bin are among the files with wrong ownership. The
problem is that not even root can take back the ownership in my trials
so far.

Michael Goerz wrote:
> Hi,
>
> I'm experiencing some extremely weird problems.
>
> It started with 'ls -h' giving me
> ls: invalid option -- h
> Try `ls --help' for more information.
>
> Also, 'ls --color' results in
> ls: unrecognized prefix: do
> ls: unparsable value for LS_COLORS environment variable
> prepended to the normal output.
>
> Furthermore, when I type 'ps', I get
> Unknown HZ value! (39) Assume 100.
>
> That is also message I suddenly get during boot (together with something
> about "unknown gnu long option" (I don't know which program exactly
> prints these error messages.
>
> On further investigation, I found out that some files in /usr/bin have
> invalid ownership. They are supposed to be root:root, but instead they
> have 122:114
>
> This started just happening on a running system. No special action
> taken, no updates or anything like that.
>
> What is going on here? How can this be fixed?
>
> Thanks,
> Michael
First, a correction: I meant to say there are files with wrong ownership
in /bin (specifically ls and ps), not /usr/bin. However, there are a few
in /usr/bin as well (such as top). I also noticed that there are a few
files with names like

ls;470ecce3
ls;470ecd06
ls;470ecd0a
ls;470ecd0c
ls;470ecd1c
ls;470ece69

that don't look to good. Am I dealing with a rootkit here?

Michael

On Fri, 12 Oct 2007 03:54:37 +0200, Michael Goerz wrote:

> that don't look to good. Am I dealing with a rootkit here?

Yes.

Michael Goerz wrote:
>
>ls;470ecce3
>ls;470ecd06
>ls;470ecd0a
>ls;470ecd0c
>ls;470ecd1c
>ls;470ece69
>
>that don't look to good. Am I dealing with a rootkit here?

Have you run /fsck/ on that file system?

--
Floyd L. Davidson
Ukpeagvik (Barrow, Alaska) floyd-at-apaflo.com

Dave Uhring wrote:
> On Fri, 12 Oct 2007 03:54:37 +0200, Michael Goerz wrote:
>
>> that don't look to good. Am I dealing with a rootkit here?
>
> Yes.
I was indeed hacked and someone installed the SHV5 rootkit. So, the only
choice was to wipe the harddrive and do a reinstall... and change all
passwords. Luckily I noticed it within two hours so hopefully not too
much damage beyond the rootkit itself was done.

How could the attacker get into my system? The box was behind a NAT,
with no forwarded ports. Could it have been an outdated version of
Firefox? Or maybe, it was a Win box inside the LAN, which had caught a
worm (of the ad displaying kind) that I was busy taking care of? In any
case, I tightened the firewall... hope it helps for the future.

Michael

On Sat, 13 Oct 2007 12:46:57 +0200, Michael Goerz wrote:

> How could the attacker get into my system? The box was behind a NAT,
> with no forwarded ports. Could it have been an outdated version of
> Firefox? Or maybe, it was a Win box inside the LAN, which had caught a
> worm (of the ad displaying kind) that I was busy taking care of? In any
> case, I tightened the firewall... hope it helps for the future.

Since you failed to tell us which distro you are using and which services
were running your question is unanswerable.

Install the latest release of whatever you use, keep it updated, turn off
unessential services, disable root access by sshd and use good passwords.

On 2007-10-13, Michael Goerz wrote:
>
> How could the attacker get into my system? The box was behind a NAT,
> with no forwarded ports. Could it have been an outdated version of
> Firefox? Or maybe, it was a Win box inside the LAN, which had caught a
> worm (of the ad displaying kind) that I was busy taking care of? In any
> case, I tightened the firewall... hope it helps for the future.

The Windhose box inside the hardware firewall would have
made a very useful base camp for the intruder to attack your
Linux machine. NAT doesn't help once the intruder is
already inside.

--
Robert Riches
spamtrap42-at-verizon.net
(Yes, that is one of my email addresses.)