[plug] /bin2 ?

[Russell Steicke]

Hi,

I've just noticed something slightly odd on a debian sid machine.  Some
of the daemons have a /bin2 entry in their PATH environment
variables[1].  I can't find out where this came from.  A recusive search
through /etc didn't reveal any occurrences of the string "bin2".  I
haven't added this to any config file.

Some of the daemons affected are sshd, inetd and gpm.  portmap, lpd and
apache2 don't have this.  (lpd's environment is empty.)

A machine with similar versions of these packages (not identical)
doesn't have /bin2 in the PATHs of its daemons.

There is no /bin2 directory.  Because I've seen root kits that install
ls, find, etc that hide directory entries, I booted with the only handy
linux boot CD, a RH9 install CD, but /bin2 doesn't exist when viewing
the filesystem from that either.

Googling for things like "bin2 inetd debian" and "bin2 rootkit" doesn't
find anything that seems relevant, and there's nothing in the dpkg
source, either.  (I looked in the source for dpkg because that's where
start-stop-daemon comes from, and both inetd and sshd are started by
start-stop-daemon.)

Has anyone seen this before?  Any ideas?

TIA
Russell

[1] sudo cat /proc/<pid>/environ | xargs -0 -n 1 echo | grep PATH


-- 
Russell Steicke

-- Fortune says:
Cheer Up!  Things are getting worse at a slower rate.