On Fri, 15 Sep 2006, Michael Fuhr wrote:
> On Thu, Sep 14, 2006 at 10:24:29PM -0700, Jeff Frost wrote:
>> On Thu, 14 Sep 2006, Michael Fuhr wrote:
>>> Can anybody else with a Linux box test the above command?
>>
>> On my FC4 machine running 2.6.16-1.2111_FC4:
>>
>> uid=26(postgres) gid=26(postgres) groups=26(postgres)
>> context=user_u:system_r:unconfined_t
>
> That's what I'd expect. David's box appears to be behaving oddly,
> which could be signs of tampering if he has indeed been hacked. If
> that's happened then commands like "ls" and "ps" can't be trusted.
>
> Can anybody think of a way for David to be seeing the behavior he's
> seeing that doesn't involve a tampered-with system?
It's probably worthwhile to get a copy of chkrootkit and/or rkhunter and run
them to see if there is a problem. Might also be worthwhile to run the ps and
ls from the install CD to see if there are any suprising results.
--
Jeff Frost, Owner <jeff@frostconsultingllc.com>
Frost Consulting, LLC http://www.frostconsultingllc.com/
Phone: 650-780-7908 FAX: 650-649-1954
