I have a friend, here is what he sent me: - The box is cracked. A whole raft of functions in /usr/bin and /usr/sbin were replaced with newer/older versions. The reason I say it that way is that the file stamps are newer but, the reported version numbers are older. - The NIC is in PROMISC mode. If you run ifconfig and look at the NIC flags 'PROMISC' appears there. When I turn it off it is only a matter of moments before it is back on. This is another clue that I'm cracked. - When I run tcpdump the amount of traffic is staggering!! In fact, I thought I might win if I closed things down a bit...and subsequently closed the door on myself. I'm sure that noone is using the box at the moment. :-) - I went out and grabbed real versions of all of the RPMs for the tools that were replaced. I forced those to install overtop of the cracked ones. That worked...until some process re-copied the bogus ones on top again.
Any suggestions (other than turn the machine of and repave the system)? I'm trying to help him find the source of the problem. In trying to limit net access to the machine, he ended up locking himself out til he gets home from work. in order to figure out what processes are running, and which one might be causing the mayhem, I basically suggested he try this: more /proc/*/cmdline which should list the processes running better than a cracked `ps`. any help is much appreciated. Dave
