Actually, that's probably OK, my Mandrake 5.3 system has:
-rws--x--x 2 root root 464140 Sep 10 1998
/usr/bin/sperl5.00404
I'd guess that came with the system.
If you want to check all of your files for modification, you can run a
little script like this:
#!/bin/bash
for i in `rpm -qa`
do echo \*\*\*\* $i \*\*\*\*; rpm -V $i
done
This will list every rpm and verify its files for MD5 checksum, size,
modification type, permissions mode, etc.
<snip log>
As far as your log... Someone named delrio logged in, su'd to root, and
shutdown and restarted named. That's basically it until something
happened to cause your machine to look up wkd.sorabul.co.kr. Thirty
seconds later, two accounts were created, one with the same UID as
delrio (uid 500), another with UID 0 (the same as root). Unfortunately
it's pretty hard to get very much from this. There's no record of
anyone logging in before the user accounts were added, only the named
thing -- I'm slightly suspicious of that, because of this:
You're running bind 8.2.1 (the package named is part of). This is known
to have remote root exploit vulnerabilities, and Red Hat has issued
updates ( http://www.**-**.com/ ). It's certainly possible that
this was how your machine was compromised.
I unfortunately do not know what kind of log traces a buffer overflow on
named would look like, so this is just a guess. But you are running a
vulnerable version of named and the new accounts were created only 30
seconds after named reported an error (though the error is not in itself
suspicious, it could be the result of all sorts of things).
--
Phil DeBecker
"Give me a lever long enough, and a place to stand, and I'll break the
lever."