[vox-tech] find not found
Bill Broadley
bill at broadley.org
Sat Oct 23 17:26:07 PDT 2010
On 10/23/2010 11:00 AM, Rod Roark wrote:
> A strange thing happened last night around 10:09 pm. I had just rebooted
> my home server (running Ubuntu 10.04), and then started getting emails
> from cron jobs saying this:
>
> /bin/sh: find: not found
>
> Sure enough, /usr/bin/find did not exist. Brought up the Synaptic
> package manger and learned that findutils was indeed installed, and
> that /usr/bin/find is one of the files that it installs. Somehow this
> file had simply disappeared.
>
> It seems that installing packages requires find, so I ended up copying
> it over from another machine running the same distribution. Then I
> forced a reinstall of findutils and all was good.
>
> Except I have no clue what happened. Checking the logs did not
> turn up anything interesting. Any ideas?
First, backup anything important.
It could of course be a strange typo while root, but I would also be
suspicious of a disk error. Any hints form dmesg? Maybe a hdparm -long
test would be indicated.
Another possibility is a hacked machine where they replace ps/find/ls
and friends to hide... although to be honest seems like 99% of such
attacks these days attack the kernel and hide that way.
The only way to be completely sure is install from trusted media, but
you could:
* boot from trusted media, figure out where all your disk space is
being used. Maybe run a rootkit detector or two (but in my
experience they are useless).
* Nmap from a remote machine, make sure only the ports you expect
are open.
* Make sure you are patched of course
* monitor network traffic upstream (from a different machine/fw).. even
just monitoring your uplink light.
More information about the vox-tech
mailing list