[Users] no such file or directory

[Scott Dowdle]

Papp,

I don't think you have stated what distro you are running in the problem container.  Most package managers offered by distros have a way to verify the checksums of packages installed by the package manager.  So enter the container and do that.  The modified files should stick out like a sore thumb.  While it is possible for crackers to alter package manager binaries as well... it is considerably more work to modify the package databases that go along with them... and I haven't seen that happen out in the wild... so it is less likely.

If your package manager says a number of binaries have been altered (rather than say the corrupted as a the result of disk/filesystem failures)... make a list of the altered binaries and run the strings command on one or more of them.  Usually altered binaries will have some text within them that makes it obvious they are cracker tools.

If you come to the conclusion your container has been compromised almost everyone will tell you to crap it and make a new container and migrate data.  Some of the adventurous will actually try and fix the compromise by re-installing the packages that have compromised binaries.  Of course you also should find the cause of the compromise and fix it if at all possible.  Some causes are guessed/broken passwords without any real software vulnerability being involved.

TYL,
-- 
Scott Dowdle
704 Church Street
Belgrade, MT 59714
(406)388-0827 [home]
(406)994-3931 [work]