/bin/ls not found, even though it exists!

Question

This is a server running ubuntu 8.04 server, any idea what's going on?

# ls
-bash: /bin/ls: No such file or directory
# /bin/ls
-bash: /bin/ls: No such file or directory
# stat /bin/ls
  File: `/bin/ls'
  Size: 39696       Blocks: 80         IO Block: 4096   regular file
Device: 803h/2051d  Inode: 1073910881  Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (  122/ UNKNOWN)   Gid: (  114/Debian-exim)
Access: 2008-06-05 15:07:22.491486000 -0700
Modify: 2008-04-03 23:44:23.000000000 -0700
Change: 2009-05-21 07:42:45.715736917 -0700
#:/bin# dd if=/bin/ls of=/dev/null 
77+1 records in
77+1 records out
39696 bytes (40 kB) copied, 0.000157908 s, 251 MB

I have no idea how it got the weird GID and UID, neither one exists in /etc/passwd

I recently performed the ubuntu NTP update to fix a security hole.

Update: I just noticed /bin/netstat has the same issue

Update: looks like I got rooted, ran rkhunter and it found a kit...

If you run "chown root:root /bin/ls" does that help the problem at all? — gharper, May 21 '09 at 17:23
Already did, no luck, I also ran chkrootkit, no positive results. — Andrew Cholakian, May 21 '09 at 17:27
When you ran chown root:root ... Did stat change so the owner and group was root? — Kyle Brandt, May 21 '09 at 17:35
I have exactly the same size of the file. What the problem you have had? — Brian Cannard, Mar 10 '17 at 04:27

score 12 · Accepted Answer · edited Apr 13 '17 at 12:14

Having ls and netstat broke on a system sounds suspiciously like something a hacker would do to avoid detection. Usually they try to patch those tools to prevent detection of tools and backdoors they had installed or created. You might want to consider rebooting to a livecd and then checking the md5sums of those files.

If the system is compromised please check these questions for some advice on how to deal with the situation.

score 2 · Answer 2 · answered May 21 '09 at 17:37

2

You can get the 'No such file or directory' error when the dynamic linker cannot find the appropriate shared objects.

Run:

ldd /bin/ls

and check the output.

Looks suspicious to me as well, by the way. I'd worry about your system having been compromised.

answered May 21 '09 at 17:37

MikeyB

39,291
10
105
189

1

ls is usually a shell built in. You should check that your _shell_ not /bin/ls has been modified. – Dave Cheney May 21 '09 at 18:31
1

@Dave Cheney: I don't think that bash (the default shell on Ubuntu) has a ls builtin. – Cristian Ciupitu Jun 02 '09 at 20:52

score 2 · Answer 3 · answered May 21 '09 at 20:27

2

This isn't specifically related to your problem, but if a system doesn't have /bin/ls installed (i.e., someone has deleted it), you can use:

echo *

to get a directory listing. I have had to use this before, and it's a lifesaver.

answered May 21 '09 at 20:27

Gavin McTaggart

1,846
16
14

score 1 · Answer 4 · answered May 21 '09 at 17:35

Here's the output of stat /bin/ls on my Ubuntu 8.04 server. Different size, so I would guess the file has been corrupted or replaced.

# stat /bin/ls
  File: `/bin/ls'
  Size: 106176          Blocks: 216        IO Block: 4096   regular file
Device: ca00h/51712d    Inode: 3631        Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2009-05-21 13:31:51.000000000 -0400
Modify: 2008-04-04 02:44:23.000000000 -0400
Change: 2008-05-29 17:14:25.000000000 -0400

score 0 · Answer 5 · answered Feb 27 '20 at 13:21

0

Sometimes when you navigate to folder that its environment don't use bash so you get this massage.

In order to have the commands ls, ll you need to run the command:

bash

Then you can use ls and ll

answered Feb 27 '20 at 13:21

RafaelJan

101
1

/bin/ls not found, even though it exists!

5 Answers5

Linked