On Mon, Jul 12, 2004, [EMAIL PROTECTED] wrote: > We have an unusual problem with files that are invisible (sort of) to > 'ls' and other programs. This shows up when using the standard > versions of these programs that are shipped with Debian 'Woody' (up to > date via security.debian.org). However, the files are visible when > using statically linked versions of 'ls' such as that shipped with > some ftp servers. ... > ... I realise that a bug in glibc is pretty unlikely, but I'm not > really sure what else could be doing it and welcome further > troubleshooting suggestions.
I'm not at all skilled in security/forensics, but "files that don't show up in ls" and "processes that don't show up in ps" are often a symptom of a compromised machine. The attacker, having gained successful access to a machine, will install programs either to allow them continued access to the machine, or to control the machine. They will then sometimes modify system files and binaries so that it is not easy to find these files and processes. There may be some obvious reason why this can't be the case (as I said, I don't know much about it), but it does seem like an option you haven't considered. In particular, the fact that problematic files are showing up in a directory named /tmp/CGI_Cache sounds suspicious to me -- /tmp is world writable and would therefore be a good candidate for installing rogue programs assuming you can stop them being purged on reboot. Hopefully others have good resources on checking and diagnosing a compromised machine. The standard fix is: first find out how they got in, and then reinstall the machine without that hole. However, keep in mind that if you want to find out how an attacker got in, or to pursue them, you will need to keep the evidence (hard drives) untouched, so don't be too keen to wipe a possibly compromised machine. Unless there's an obvious reason I'm missing not to suspect compromise, you should be thinking about pulling those machines offline ASAP and finding out exactly what's in these invisible files. -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
