<background>
Man.... I went round and round with this one. Thanks god for tripwire!!! I have a linux box on a T1. I often access it from work through an http tunnel. I have been working on getting MySQL PHP and DBI running so I can host HLSTATS for my counter-strike server. To make all of this easier I installed VNC and have been using that through the tunnel.
Normally I login as root because I only installed ssh. Well, the server side of my http tunnel went down and because of the restrictions on my work PC i cannot run an SSH capable client. So, I bring up my alternate tunnel to my home pc and telnet to that. I login as a no-root user and ssh from there to by T1 box (non-root user). After entering the password and viewing etc/issue it closes my connection with the following error: /bin/bash: Permission denied

after searching the net, i only found one site that assisted me: http://www.linuxgazette.com/issue52/okopnik.html

after learning how to use tripwire (thank god i installed it) i ran a: twprint -m r -r <logfile>|more

Finally I stumbled upon something mentioned in the posted website.

Modified object name: /lib/ld-2.2.2.so
Expected Observed
-rwxr-xr-x -rwxr--r--

And about 5 more.

After doing a chmod 755 on these, I was back in service. I haven't checked to see if these were part of the packages I was installing or if it was a hack, however I did find this in var/log/lastlog: t<ftpsherbrooke-hse-ppp3605230.sympatico.ca©Û~. I traced it back to the ISP and their security peeps are checking it out.
note: The lib dates were not recent.

Like I said! Hooray for tripwire.

--RYAN