Quote:
please feel free to berate me!
|
OK peasant: prepare to be berated - or otherwise quoted out of context
Quote:
/bin/groups' has been replaced by a script
|
If this is serious, then reading the script should tell you how concerned to be.
less /usr/bin/groups
# groups -- print the groups a user is in
# Copyright (C) 1991, 1997, 2000, 2002, 2004 Free Software Foundation, Inc.
[snip]
... rms's fingerprints are all over it.
less /usr/bin/ldd
# Copyright (C) 1996-2004, 2005, 2006 Free Software Foundation, Inc.
# This file is part of the GNU C Library.
[snip]
... similar.
less /usr/sbin/whatis
"/usr/bin/whatis" may be a binary file. See it anyway?
... whoops. "whatis - display manual page descriptions" (from man page)
less /usr/bin/adduser
# adduser: a utility to add users to the system
# addgroup: a utility to add groups to the system
[snip]
... it's a perl script on my machine though.
/usr/bin and /usr/sbin are expected, but not limited, to contain binary executables. A typical rootkit would be a script that replaces a standard executable so that it activates when the executable would normally be called. It then calls the original script (now renamed) after performing a short task for it's maker... that way they are hard to spot.
However, they are hard to put in place too.
I doubt those are good targets for substitution (in the same way as, say, /usr/bin/passwd) anyway.