I've come accross this thread as I'm experiencing the same problem regarding Segmentation Faults when executing the ls and mkdir commands. I'm running this server at home as a hobby so it's not really a critical machine.

In my case, there is a further behaviour which seems rather strange. I first noticed the following ModProbe message:

Can't locate these modules:
net-pf-14: 1 Time(s)
ppp0: 3 Time(s)

When I tried to log on to the server as root, it got as far as:

Last login: .....

but never got the linux prompt.

I can, however, log in as my user and 'su' root

Once as root, I copied the ls binary from a backup taken prior to the Segmentation Fault, and the command started to work again.

I can log out and log back in as my user and everything still seems to be fine.

The strange thing is that if I try to log in as root it will get stuck at the Last login: ... message and the segmentation faults begin again.

Any ideas???

Many Thanks,
Alex

Any ideas?
Problem is you didn't post any true "evidence" for a rootkit, but what I've read from the SF incidents mailinglist this sure would indicate it.
Here's my recipe:

- Stay calm.
- Disconnect the box from the network. If necessary, inform any other parties that have (had) access to accounts on the box. If applicable, cut off net access for the LAN.
- Shut down the box NOW and do not reboot it again.
- Now make a choice: search for evidence or go ahead and mop up.

If you choose for mopping up then proceed with this:
- If you have spare disk space on another box, and provided you want to find out, hook up the disk(s) to that box and make a copy of the entire disk using "dd", booting the other boxens OS, not the one from the disks you just hooked up. Else if you don't have that much spare space you might want to tar up the contents of at least the config dir (/etc) and your temp and log dirs (/var). At least you'll have a chance to look at your logs. You do this by either by hooking up the disk(s) to another box, or booting some rescue cdrom/floppy without touching the OS on the disk.
- If you don't want to find out, save any HUMAN READABLE data of choice: that is NOT binaries and NOT anything else.
- If applicable, audit any other boxen on your LAN before proceeding, then execute the three R's: repartition, reformat and reinstall from scratch. Now harden the box, renew all passwords etc etc.

If you choose for searching for evidence, I'll try to make it as clear as I can but it will not be easy if you're a total newbie I'm afraid and then mopping up may be your only choice.
Whatever you choose, DO NOT reboot the box before it's sterilised.

//moderator invoked separation from thread http://www.linuxquestions.org/questi...threadid=72884