On 10/23/2010 11:00 AM, Rod Roark wrote: > A strange thing happened last night around 10:09 pm. I had just rebooted > my home server (running Ubuntu 10.04), and then started getting emails > from cron jobs saying this: > > /bin/sh: find: not found > > Sure enough, /usr/bin/find did not exist. Brought up the Synaptic > package manger and learned that findutils was indeed installed, and > that /usr/bin/find is one of the files that it installs. Somehow this > file had simply disappeared. > > It seems that installing packages requires find, so I ended up copying > it over from another machine running the same distribution. Then I > forced a reinstall of findutils and all was good. > > Except I have no clue what happened. Checking the logs did not > turn up anything interesting. Any ideas?
First, backup anything important. It could of course be a strange typo while root, but I would also be suspicious of a disk error. Any hints form dmesg? Maybe a hdparm -long test would be indicated. Another possibility is a hacked machine where they replace ps/find/ls and friends to hide... although to be honest seems like 99% of such attacks these days attack the kernel and hide that way. The only way to be completely sure is install from trusted media, but you could: * boot from trusted media, figure out where all your disk space is being used. Maybe run a rootkit detector or two (but in my experience they are useless). * Nmap from a remote machine, make sure only the ports you expect are open. * Make sure you are patched of course * monitor network traffic upstream (from a different machine/fw).. even just monitoring your uplink light. _______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
