On Fri, 15 Sep 2006, Michael Fuhr wrote:
On Thu, Sep 14, 2006 at 10:24:29PM -0700, Jeff Frost wrote:
On Thu, 14 Sep 2006, Michael Fuhr wrote:
Can anybody else with a Linux box test the above command?
On my FC4 machine running 2.6.16-1.2111_FC4:
uid=26(postgres) gid=26(postgres) groups=26(postgres)
context=user_u:system_r:unconfined_t
That's what I'd expect. David's box appears to be behaving oddly,
which could be signs of tampering if he has indeed been hacked. If
that's happened then commands like "ls" and "ps" can't be trusted.
Can anybody think of a way for David to be seeing the behavior he's
seeing that doesn't involve a tampered-with system?
It's probably worthwhile to get a copy of chkrootkit and/or rkhunter and run
them to see if there is a problem. Might also be worthwhile to run the ps and
ls from the install CD to see if there are any suprising results.
--
Jeff Frost, Owner <jeff@xxxxxxxxxxxxxxxxxxxxxx>
Frost Consulting, LLC http://www.frostconsultingllc.com/
Phone: 650-780-7908 FAX: 650-649-1954
