[nSLUG] big problems with Ubuntu

Dop Ganger nslug at fop.ns.ca
Tue Sep 19 08:11:16 ADT 2006

On Mon, 18 Sep 2006, ricardd at mathstat.dal.ca wrote:

> The same error message appears during the booting and the permissions on
> udevplug are:
> ?rwxr-xr-x 1 root root 59018 May 22 11:25 /sbin/udevplug
> So there seems to be a bunch a files with screwed up permissions.

Not only screwed up permissions, but the file sizes look wrong. Here's the 
relevant info from an Ubuntu box here:

dop at volkerding:/sbin$ ls -l udev*
-rwxr-xr-x 1 root root  9784 2006-05-22 11:25 udevcontrol
-rwxr-xr-x 1 root root 55432 2006-05-22 11:25 udevd
-rwxr-xr-x 1 root root 20552 2006-05-22 11:25 udevplug
-rwxr-xr-x 1 root root 18312 2006-05-22 11:25 udevsend
dop at volkerding:/sbin$ md5sum udev*
cfdfc41cf939a7b358207df8353aff31  udevcontrol
805755649b706f4363a604472184cf79  udevd
b3b00eceffe00ff15e66bcf351ba0f6a  udevplug
afbbef7d0f4edbfbc4b1d72d928e48c9  udevsend
dop at volkerding:/sbin$

My first guess would be that you've been rootkitted - try "strings 
/sbin/udevplug | less" to see if there's anything suspicious. If you can 
manage to get an ethernet interface up ("sudo dhclient eth0" or to 
manually configure, "sudo bash ; ifconfig eth0 up x.x.x.x ; route add 
default gw y.y.y.y" where x.x.x.x is your IP address, and y.y.y.y is your 
gateway) then you can possibly reinstall with "sudo apt-get install 
--reinstall udev".

You will probably need to get a rescue disk of some sort and fsck the 
partition to make sure it's clean, if it's actually corruption of some 
sort instead of a rootkit.

Cheers... Dop.


