Hi all. My redhat 7.1 /bin files has been corrupted... for certain files.

When i try replacement.. these are the error sign

bash-2.04# ./cp more /bin
./cp: cannot create regular file `/bin/more': Permission denied


What can i do ??? need expert advise....

you are root when you are trying to do this right?

boot with some linux cdrom, mount your hard drive
partition and copy the files back.

i've had a bunch of weird problems with my machine
this week. i tried compressing all the binaries with
upx. i thought it wouldn't compress stuff that would
mess up the system. the system wouldn't even boot
when i was done. a bunch of files wouldn't work
while compressed with upx. and a bunch of stuff
doesn't work now, even though i've uncompressed
everything. i had some files that didn't work, that
i wasn't allowed to copy over for some reason.
i booted another linux to do it.

As root check the (read-write) mount flags on the partition and check with "lsattr" if the dir/binary isn't set immutable and/or undeletable.

this is the response...

bash-2.04# /usr/bin/lsattr /bin/more
bash: /usr/bin/lsattr: cannot execute binary file

what should i do next ?? pls advise. thanx..


Actually an Linux/OSF.A virus has caused this problem.

You could try what I said yesterday, and what
has been suggested in this thread, too ....
Boot the machine with your installation CD,
mount the partition that has the /bin directory
and copy the files there manually...

Cheers,
Tink

Good you mentioned Linux/OSF.A upfront. Excellent.
Also good to mention it's part of another thread. Excellent...

Apparently when executing an infected binary it'll open a backdoor on TCP/3049 or higher (Sophos). Running an clean copy of netstat, lsof (-i) or chkrootkit should be able to prove that.
Since you managed to infect your box (as root, right) running untrusted binaries, and you don't know who accessed the system after the infection, I'd suggest you save your human readable data and reformat and reinstall. Don't save binaries and don't assume you'll get a trusted system back by just copying in clean binaries from cdr w/o the means to verify file integrity (using Aide, Samhain or tripwire incl. databases from floppy or cdr). Please read the 1st thread in the security forum, look for "Steps for Recovering from a UNIX or NT System Compromise", rebuild your box and read the stuff on hardening your boxen. Also there's a supposed cleaner at Packetstorm (search for clean-osf) but again: don't assume you'll get a trusted system back by just copying in clean binaries from cdr.

HTH