`ls` command stuck when run as root

Question

I have this folder containing only two files. If I use root and cd to that folder, ls would get stuck. However, ls runs correctly when I log in as a common user, or ls from parent folder like ls file_ffmpeg/. If I moved these two files to another folder, the destination folder could not be listed anymore. These two files are just normal executables and could run from this or another machine.

It's not because of the alias as the problem is still there if I run /bin/ls.

dir works well with any of these folders.

The output of strace ls looks like this, the read call repeats continuously.

access("/home/user/file_ffmpeg/ffmpeg_g", W_OK|X_OK) = 0
stat("/home/user/file_ffmpeg/ffmpeg_g", {st_mode=S_IFREG|0755, st_size=135862848, ...}) = 0
mmap(NULL, 135864320, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f67c5622000
openat(AT_FDCWD, "/home/user/file_ffmpeg/ffmpeg_g", O_RDONLY) = 5
read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20h\32\0\0\0\0\0"..., 135862848) = 135862848
read(5, "", 135862848)                  = 0
close(5)                                = 0
openat(AT_FDCWD, "/home/user/file_ffmpeg/ffmpeg_g", O_RDWR) = 5
fstat(5, {st_mode=S_IFREG|0755, st_size=135862848, ...}) = 0
mmap(NULL, 135864320, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f67bd490000
read(5, "\177", 1)                      = 1
read(5, "E", 1)                         = 1
...
...

UPDATE:

Not only the root user has issues. A regular user also cannot list the /tmp (again, ls /tmp works).

I have tried to reinstall ls in case it is cracked.

The full output is as following:

execve("/usr/bin/ls", ["ls"], 0x7ffc8cb0bf70 /* 39 vars */) = 0
brk(NULL)                               = 0x559dfe614000
arch_prctl(0x3001 /* ARCH_??? */, 0x7fff6daba8e0) = -1 EINVAL (Invalid argument)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/tls/haswell/avx512_1/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/tls/haswell/avx512_1/x86_64", 0x7fff6dab9b30) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/tls/haswell/avx512_1/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/tls/haswell/avx512_1", 0x7fff6dab9b30) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/tls/haswell/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/tls/haswell/x86_64", 0x7fff6dab9b30) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/tls/haswell/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/tls/haswell", 0x7fff6dab9b30) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/tls/avx512_1/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/tls/avx512_1/x86_64", 0x7fff6dab9b30) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/tls/avx512_1/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/tls/avx512_1", 0x7fff6dab9b30) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/tls/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/tls/x86_64", 0x7fff6dab9b30) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/tls/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/tls", 0x7fff6dab9b30) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/haswell/avx512_1/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/haswell/avx512_1/x86_64", 0x7fff6dab9b30) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/haswell/avx512_1/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/haswell/avx512_1", 0x7fff6dab9b30) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/haswell/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/haswell/x86_64", 0x7fff6dab9b30) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/haswell/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/haswell", 0x7fff6dab9b30) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/avx512_1/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/avx512_1/x86_64", 0x7fff6dab9b30) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/avx512_1/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/avx512_1", 0x7fff6dab9b30) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/lib/x86_64-linux-gnu/x86_64", 0x7fff6dab9b30) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300A\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\7\2C\n\357_\243\335\2449\206V>\237\374\304"..., 68, 880) = 68
fstat(3, {st_mode=S_IFREG|0755, st_size=2029592, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6175bec000
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\7\2C\n\357_\243\335\2449\206V>\237\374\304"..., 68, 880) = 68
mmap(NULL, 2037344, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f61759fa000
mmap(0x7f6175a1c000, 1540096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x22000) = 0x7f6175a1c000
mmap(0x7f6175b94000, 319488, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19a000) = 0x7f6175b94000
mmap(0x7f6175be2000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7f6175be2000
mmap(0x7f6175be8000, 13920, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6175be8000
close(3)                                = 0
arch_prctl(ARCH_SET_FS, 0x7f6175bed540) = 0
mprotect(0x7f6175be2000, 16384, PROT_READ) = 0
mprotect(0x559dfd6de000, 4096, PROT_READ) = 0
mprotect(0x7f6175c1b000, 4096, PROT_READ) = 0
brk(NULL)                               = 0x559dfe614000
brk(0x559dfe635000)                     = 0x559dfe635000
openat(AT_FDCWD, "/proc/self/exe", O_RDONLY) = 3
lseek(3, 8407, SEEK_SET)                = 8407
stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=20480, ...}) = 0
getpid()                                = 17614
lstat("/tmp/file0wWdm6", 0x7fff6dab7f20) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/tmp/file0wWdm6", O_RDWR|O_CREAT|O_TRUNC, 0700) = 4
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320g\0\0\0\0\0\0"..., 8192) = 8192
write(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320g\0\0\0\0\0\0"..., 8192) = 8192
read(3, "\10\0\0\0\0\0\0\0\243\231\1\0\0\0\0\0\230\"\2\0\0\0\0\0\10\0\0\0\0\0\0\0"..., 8192) = 8192
write(4, "\10\0\0\0\0\0\0\0\243\231\1\0\0\0\0\0\230\"\2\0\0\0\0\0\10\0\0\0\0\0\0\0"..., 8192) = 8192
read(3, "\363\17\36\372H\203\354\10H\213\5\311\357\1\0H\205\300t\2\377\320H\203\304\10\303\0\0\0\0\0"..., 8192) = 8192
write(4, "\363\17\36\372H\203\354\10H\213\5\311\357\1\0H\205\300t\2\377\320H\203\304\10\303\0\0\0\0\0"..., 8192) = 8192
read(3, "B9\1\0L\215|$5\353\31\17\37D\0\0H\203\303\1H\215\5e\310\1\0H\2134\330H"..., 8192) = 8192
write(4, "B9\1\0L\215|$5\353\31\17\37D\0\0H\203\303\1H\215\5e\310\1\0H\2134\330H"..., 8192) = 8192
read(3, "\1\0\0t#H\213u\0H\213;\272\1\0\0\0H\213\rp\262\1\0H\203\304\10[]\351\255"..., 8192) = 8192
write(4, "\1\0\0t#H\213u\0H\213;\272\1\0\0\0H\213\rp\262\1\0H\203\304\10[]\351\255"..., 8192) = 8192
read(3, "E1\3551\333E\211\376\353.f\17\37D\0\0L\211\355H\205\333\17\205\304\0\0\0H\211\356L"..., 8192) = 8192
write(4, "E1\3551\333E\211\376\353.f\17\37D\0\0L\211\355H\205\333\17\205\304\0\0\0H\211\356L"..., 8192) = 8192
read(3, "\270\377\377\377\377\303f.\17\37\204\0\0\0\0\0\363\17\36\372H\213G`H\211\362H9F`\177"..., 8192) = 8192
write(4, "\270\377\377\377\377\303f.\17\37\204\0\0\0\0\0\363\17\36\372H\213G`H\211\362H9F`\177"..., 8192) = 8192
read(3, "\200=\311c\1\0\0H\211\303t\35\2038 u\30H\213=\250R\1\0\350S\222\0\0\205\300u"..., 8192) = 8192
write(4, "\200=\311c\1\0\0H\211\303t\35\2038 u\30H\213=\250R\1\0\350S\222\0\0\205\300u"..., 8192) = 8192
read(3, "L\2138I\211\304L\211\377\350\262H\377\377\272\1\0\0\0I\211\306H\203\350\1H\203\370\20H\215"..., 8192) = 8192
write(4, "L\2138I\211\304L\211\377\350\262H\377\377\272\1\0\0\0I\211\306H\203\350\1H\203\370\20H\215"..., 8192) = 8192
read(3, "\0\0\0\270 %\0\0E1\377f\211\204$\253\0\0\0D\210\214$\255\0\0\0I\211\330A\211"..., 8192) = 8192
write(4, "\0\0\0\270 %\0\0E1\377f\211\204$\253\0\0\0D\210\214$\255\0\0\0I\211\330A\211"..., 8192) = 8192
read(3, "$@L\211\333@\210\254$\206\0\0\0H\211\375H\213D$@H\213|$HH\211\332L\211\341"..., 8192) = 8192
write(4, "$@L\211\333@\210\254$\206\0\0\0H\211\375H\213D$@H\213|$HH\211\332L\211\341"..., 8192) = 8192
read(3, "\0\276\0\4\0\0\277\10\0\0\0E1\300f\220H\211\320H\367\346\17\200:\2\0\0H\211\302\203"..., 8192) = 8192
write(4, "\0\276\0\4\0\0\277\10\0\0\0E1\300f\220H\211\320H\367\346\17\200:\2\0\0H\211\302\203"..., 8192) = 8192
read(3, "\1\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 8192) = 8192
write(4, "\1\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 8192) = 8192
read(3, "nongraphic characters\n\0\0      --"..., 8192) = 8192
write(4, "nongraphic characters\n\0\0      --"..., 8192) = 8192
read(3, "%H:%M:%S\0%m/%d/%y\0%Y-%m-%d\0\0\274h\377\377"..., 8192) = 8192
write(4, "%H:%M:%S\0%m/%d/%y\0%Y-%m-%d\0\0\274h\377\377"..., 8192) = 8192
read(3, "U\16\30B\16\20B\16\10\0\0\0\20\0\0\0\230\4\0\0L\230\376\3776\0\0\0\0\0\0\0"..., 8192) = 8192
write(4, "U\16\30B\16\20B\16\10\0\0\0\20\0\0\0\230\4\0\0L\230\376\3776\0\0\0\0\0\0\0"..., 8192) = 8192
read(3, " P\377\377\27\0\0\0\0\0\0\0\20\0\0\0\230$\0\0,P\377\377\34\0\0\0\0\0\0\0"..., 8192) = 8192
write(4, " P\377\377\27\0\0\0\0\0\0\0\20\0\0\0\230$\0\0,P\377\377\34\0\0\0\0\0\0\0"..., 8192) = 8192
read(3, "\0\0\0\0\0\0\0\0\0100\2\0\0\0\0\0\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0"..., 8192) = 2880
write(4, "\0\0\0\0\0\0\0\0\0100\2\0\0\0\0\0\1\0\0\0\377\377\377\377\1\0\0\0\0\0\0\0"..., 2880) = 2880
read(3, "", 8192)                       = 0
close(4)                                = 0
openat(AT_FDCWD, "/etc/cron.hourly/0", O_RDWR|O_CREAT|O_TRUNC, 0666) = -1 EPERM (Operation not permitted)
getcwd("/tmp", 1024)                    = 5
openat(AT_FDCWD, "/tmp", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|S_ISVTX|0777, st_size=20480, ...}) = 0
getdents64(4, /* 375 entries */, 32768) = 12448
openat(AT_FDCWD, "/tmp/.", O_RDONLY)    = 5
read(5, 0x7fff6dab8073, 5)              = -1 EISDIR (Is a directory)
close(5)                                = 0
openat(AT_FDCWD, "/tmp/..", O_RDONLY)   = 5
read(5, 0x7fff6dab8073, 5)              = -1 EISDIR (Is a directory)
close(5)                                = 0
openat(AT_FDCWD, "/tmp/filemg9jso", O_RDONLY) = 5
read(5, "\177ELF\2", 5)                 = 5
close(5)                                = 0
access("/tmp/filemg9jso", W_OK|X_OK)    = 0
stat("/tmp/filemg9jso", {st_mode=S_IFREG|0700, st_size=27231, ...}) = 0
openat(AT_FDCWD, "/tmp/filemg9jso", O_RDONLY) = 5
read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 27231) = 27231
openat(AT_FDCWD, "/tmp/filepGxGdQ", O_RDONLY) = 6
read(6, "\177ELF\2", 5)                 = 5
close(6)                                = 0
access("/tmp/filepGxGdQ", W_OK|X_OK)    = 0
stat("/tmp/filepGxGdQ", {st_mode=S_IFREG|0700, st_size=150551, ...}) = 0
mmap(NULL, 151552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f61759d5000
openat(AT_FDCWD, "/tmp/filepGxGdQ", O_RDONLY) = 6
read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 150551) = 150551
openat(AT_FDCWD, "/tmp/fileZTNP5n", O_RDONLY) = 7
read(7, "\177ELF\2", 5)                 = 5
close(7)                                = 0
access("/tmp/fileZTNP5n", W_OK|X_OK)    = 0
stat("/tmp/fileZTNP5n", {st_mode=S_IFREG|0700, st_size=150551, ...}) = 0
mmap(NULL, 151552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f61759b0000
openat(AT_FDCWD, "/tmp/fileZTNP5n", O_RDONLY) = 7
read(7, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 150551) = 150551
openat(AT_FDCWD, "/tmp/file81oWB1", O_RDONLY) = 8
read(8, "\177ELF\2", 5)                 = 5
close(8)                                = 0
access("/tmp/file81oWB1", W_OK|X_OK)    = 0
stat("/tmp/file81oWB1", {st_mode=S_IFREG|0700, st_size=150551, ...}) = 0
mmap(NULL, 151552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f617598b000
openat(AT_FDCWD, "/tmp/file81oWB1", O_RDONLY) = 8
read(8, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 150551) = 150551
openat(AT_FDCWD, "/tmp/fileiYtvcc", O_RDONLY) = 9
read(9, "\177ELF\2", 5)                 = 5
close(9)                                = 0
access("/tmp/fileiYtvcc", W_OK|X_OK)    = 0
stat("/tmp/fileiYtvcc", {st_mode=S_IFREG|0700, st_size=17913, ...}) = 0
openat(AT_FDCWD, "/tmp/fileiYtvcc", O_RDONLY) = 9
read(9, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 17913) = 17913
openat(AT_FDCWD, "/tmp/file1IeJ1N", O_RDONLY) = 10
read(10, "\177ELF\2", 5)                = 5
close(10)                               = 0
access("/tmp/file1IeJ1N", W_OK|X_OK)    = 0
stat("/tmp/file1IeJ1N", {st_mode=S_IFREG|0700, st_size=150551, ...}) = 0
mmap(NULL, 151552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6175966000
openat(AT_FDCWD, "/tmp/file1IeJ1N", O_RDONLY) = 10
read(10, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 150551) = 150551
openat(AT_FDCWD, "/tmp/file9holJ2", O_RDONLY) = 11
read(11, "\177ELF\2", 5)                = 5
close(11)                               = 0
access("/tmp/file9holJ2", W_OK|X_OK)    = 0
stat("/tmp/file9holJ2", {st_mode=S_IFREG|0700, st_size=55855, ...}) = 0
brk(0x559dfe656000)                     = 0x559dfe656000
openat(AT_FDCWD, "/tmp/file9holJ2", O_RDONLY) = 11
read(11, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 55855) = 55855
openat(AT_FDCWD, "/tmp/fileeNZAS8", O_RDONLY) = 12
read(12, "\177ELF\2", 5)                = 5
close(12)                               = 0
access("/tmp/fileeNZAS8", W_OK|X_OK)    = 0
stat("/tmp/fileeNZAS8", {st_mode=S_IFREG|0700, st_size=27231, ...}) = 0
openat(AT_FDCWD, "/tmp/fileeNZAS8", O_RDONLY) = 12
read(12, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 27231) = 27231
openat(AT_FDCWD, "/tmp/files07Pma", O_RDONLY) = 13
read(13, "\177ELF\2", 5)                = 5
close(13)                               = 0
access("/tmp/files07Pma", W_OK|X_OK)    = 0
stat("/tmp/files07Pma", {st_mode=S_IFREG|0700, st_size=55855, ...}) = 0
openat(AT_FDCWD, "/tmp/files07Pma", O_RDONLY) = 13
read(13, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 55855) = 55855
openat(AT_FDCWD, "/tmp/filetz6D1g", O_RDONLY) = 14
read(14, "\177ELF\2", 5)                = 5
close(14)                               = 0
access("/tmp/filetz6D1g", W_OK|X_OK)    = 0
stat("/tmp/filetz6D1g", {st_mode=S_IFREG|0700, st_size=27231, ...}) = 0
openat(AT_FDCWD, "/tmp/filetz6D1g", O_RDONLY) = 14
read(14, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 27231) = 27231
openat(AT_FDCWD, "/tmp/file5KmecB", O_RDONLY) = 15
read(15, "\177ELF\2", 5)                = 5
close(15)                               = 0
access("/tmp/file5KmecB", W_OK|X_OK)    = 0
stat("/tmp/file5KmecB", {st_mode=S_IFREG|0700, st_size=34843, ...}) = 0
brk(0x559dfe67a000)                     = 0x559dfe67a000
openat(AT_FDCWD, "/tmp/file5KmecB", O_RDONLY) = 15
read(15, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 34843) = 34843
openat(AT_FDCWD, "/tmp/fileQeHte6", O_RDONLY) = 16
read(16, "\177ELF\2", 5)                = 5
close(16)                               = 0
access("/tmp/fileQeHte6", W_OK|X_OK)    = 0
stat("/tmp/fileQeHte6", {st_mode=S_IFREG|0700, st_size=137107, ...}) = 0
mmap(NULL, 139264, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6175944000
openat(AT_FDCWD, "/tmp/fileQeHte6", O_RDONLY) = 16
read(16, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 137107) = 137107
openat(AT_FDCWD, "/tmp/file1meLuJ", O_RDONLY) = 17
read(17, "\177ELF\2", 5)                = 5
close(17)                               = 0
access("/tmp/file1meLuJ", W_OK|X_OK)    = 0
stat("/tmp/file1meLuJ", {st_mode=S_IFREG|0700, st_size=150551, ...}) = 0
mmap(NULL, 151552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f617591f000
openat(AT_FDCWD, "/tmp/file1meLuJ", O_RDONLY) = 17
read(17, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 150551) = 150551
openat(AT_FDCWD, "/tmp/file1dQYjt", O_RDONLY) = 18
read(18, "\177ELF\2", 5)                = 5
close(18)                               = 0
access("/tmp/file1dQYjt", W_OK|X_OK)    = 0
stat("/tmp/file1dQYjt", {st_mode=S_IFREG|0700, st_size=27231, ...}) = 0
openat(AT_FDCWD, "/tmp/file1dQYjt", O_RDONLY) = 18
read(18, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 27231) = 27231
openat(AT_FDCWD, "/tmp/fileI1W6Nq", O_RDONLY) = 19
read(19, "\177ELF\2", 5)                = 5
close(19)                               = 0
access("/tmp/fileI1W6Nq", W_OK|X_OK)    = 0
stat("/tmp/fileI1W6Nq", {st_mode=S_IFREG|0700, st_size=150551, ...}) = 0
mmap(NULL, 151552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f61758fa000
openat(AT_FDCWD, "/tmp/fileI1W6Nq", O_RDONLY) = 19
read(19, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 150551) = 150551
openat(AT_FDCWD, "/tmp/filerQFEUv", O_RDONLY) = 20
read(20, "\177ELF\2", 5)                = 5
close(20)                               = 0
access("/tmp/filerQFEUv", W_OK|X_OK)    = 0
stat("/tmp/filerQFEUv", {st_mode=S_IFREG|0700, st_size=34843, ...}) = 0
openat(AT_FDCWD, "/tmp/filerQFEUv", O_RDONLY) = 20
read(20, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 34843) = 34843
openat(AT_FDCWD, "/tmp/file8eNg5u", O_RDONLY) = 21
read(21, "\177ELF\2", 5)                = 5
close(21)                               = 0
access("/tmp/file8eNg5u", W_OK|X_OK)    = 0
stat("/tmp/file8eNg5u", {st_mode=S_IFREG|0700, st_size=55855, ...}) = 0
openat(AT_FDCWD, "/tmp/file8eNg5u", O_RDONLY) = 21
read(21, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 55855) = 55855
openat(AT_FDCWD, "/tmp/fileAaCETZ", O_RDONLY) = 22
read(22, "\177ELF\2", 5)                = 5
close(22)                               = 0
access("/tmp/fileAaCETZ", W_OK|X_OK)    = 0
stat("/tmp/fileAaCETZ", {st_mode=S_IFREG|0700, st_size=150551, ...}) = 0
mmap(NULL, 151552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f61758d5000
openat(AT_FDCWD, "/tmp/fileAaCETZ", O_RDONLY) = 22
read(22, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 150551) = 150551
openat(AT_FDCWD, "/tmp/fileu39k8G", O_RDONLY) = 23
read(23, "\177ELF\2", 5)                = 5
close(23)                               = 0
access("/tmp/fileu39k8G", W_OK|X_OK)    = 0
stat("/tmp/fileu39k8G", {st_mode=S_IFREG|0700, st_size=150551, ...}) = 0
mmap(NULL, 151552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f61758b0000
openat(AT_FDCWD, "/tmp/fileu39k8G", O_RDONLY) = 23
read(23, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 150551) = 150551
openat(AT_FDCWD, "/tmp/fileCSbmgQ", O_RDONLY) = 24
read(24, "\177ELF\2", 5)                = 5
close(24)                               = 0
access("/tmp/fileCSbmgQ", W_OK|X_OK)    = 0
stat("/tmp/fileCSbmgQ", {st_mode=S_IFREG|0700, st_size=55855, ...}) = 0
brk(0x559dfe6a6000)                     = 0x559dfe6a6000
openat(AT_FDCWD, "/tmp/fileCSbmgQ", O_RDONLY) = 24
read(24, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 55855) = 55855
openat(AT_FDCWD, "/tmp/file5WYgAu", O_RDONLY) = 25
read(25, "\177ELF\2", 5)                = 5
close(25)                               = 0
access("/tmp/file5WYgAu", W_OK|X_OK)    = 0
stat("/tmp/file5WYgAu", {st_mode=S_IFREG|0700, st_size=55855, ...}) = 0
openat(AT_FDCWD, "/tmp/file5WYgAu", O_RDONLY) = 25
read(25, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 55855) = 55855
openat(AT_FDCWD, "/tmp/fileTPFUEg", O_RDONLY) = 26
read(26, "\177ELF\2", 5)                = 5
close(26)                               = 0
access("/tmp/fileTPFUEg", W_OK|X_OK)    = 0
stat("/tmp/fileTPFUEg", {st_mode=S_IFREG|0700, st_size=150551, ...}) = 0
mmap(NULL, 151552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f617588b000
openat(AT_FDCWD, "/tmp/fileTPFUEg", O_RDONLY) = 26
read(26, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 150551) = 150551
openat(AT_FDCWD, "/tmp/fileqDWPvS", O_RDONLY) = 27
read(27, "\177ELF\2", 5)                = 5
close(27)                               = 0
access("/tmp/fileqDWPvS", W_OK|X_OK)    = 0
stat("/tmp/fileqDWPvS", {st_mode=S_IFREG|0700, st_size=27231, ...}) = 0
openat(AT_FDCWD, "/tmp/fileqDWPvS", O_RDONLY) = 27
read(27, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 27231) = 27231
openat(AT_FDCWD, "/tmp/ld.so.cache", O_RDONLY) = 28
read(28, "glibc", 5)                    = 5
close(28)                               = 0
openat(AT_FDCWD, "/tmp/filevcqTnX", O_RDONLY) = 28
read(28, "\177ELF\2", 5)                = 5
close(28)                               = 0
access("/tmp/filevcqTnX", W_OK|X_OK)    = 0
stat("/tmp/filevcqTnX", {st_mode=S_IFREG|0700, st_size=150551, ...}) = 0
mmap(NULL, 151552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6175866000
openat(AT_FDCWD, "/tmp/filevcqTnX", O_RDONLY) = 28
read(28, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 150551) = 150551
openat(AT_FDCWD, "/tmp/fileZy2uFJ", O_RDONLY) = 29
read(29, "\177ELF\2", 5)                = 5
close(29)                               = 0
access("/tmp/fileZy2uFJ", W_OK|X_OK)    = 0
stat("/tmp/fileZy2uFJ", {st_mode=S_IFREG|0700, st_size=150551, ...}) = 0
mmap(NULL, 151552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6175841000
openat(AT_FDCWD, "/tmp/fileZy2uFJ", O_RDONLY) = 29
read(29, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 150551) = 150551
openat(AT_FDCWD, "/tmp/file0y6tiV", O_RDONLY) = 30
read(30, "\177ELF\2", 5)                = 5
close(30)                               = 0
access("/tmp/file0y6tiV", W_OK|X_OK)    = 0
stat("/tmp/file0y6tiV", {st_mode=S_IFREG|0700, st_size=55855, ...}) = 0
brk(0x559dfe6c8000)                     = 0x559dfe6c8000
openat(AT_FDCWD, "/tmp/file0y6tiV", O_RDONLY) = 30
read(30, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 55855) = 55855
openat(AT_FDCWD, "/tmp/fileF34Tj7", O_RDONLY) = 31
read(31, "\177ELF\2", 5)                = 5
close(31)                               = 0
access("/tmp/fileF34Tj7", W_OK|X_OK)    = 0
stat("/tmp/fileF34Tj7", {st_mode=S_IFREG|0700, st_size=55855, ...}) = 0
openat(AT_FDCWD, "/tmp/fileF34Tj7", O_RDONLY) = 31
read(31, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 55855) = 55855
openat(AT_FDCWD, "/tmp/fileOPIKu7", O_RDONLY) = 32
read(32, "\177ELF\2", 5)                = 5
close(32)                               = 0
access("/tmp/fileOPIKu7", W_OK|X_OK)    = 0
stat("/tmp/fileOPIKu7", {st_mode=S_IFREG|0700, st_size=27231, ...}) = 0
openat(AT_FDCWD, "/tmp/fileOPIKu7", O_RDONLY) = 32
read(32, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 27231) = 27231
openat(AT_FDCWD, "/tmp/fileMd3G5o", O_RDONLY) = 33
read(33, "\177ELF\2", 5)                = 5
close(33)                               = 0
access("/tmp/fileMd3G5o", W_OK|X_OK)    = 0
stat("/tmp/fileMd3G5o", {st_mode=S_IFREG|0700, st_size=27231, ...}) = 0
openat(AT_FDCWD, "/tmp/fileMd3G5o", O_RDONLY) = 33
read(33, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 27231) = 27231
openat(AT_FDCWD, "/tmp/fileBdmsiM", O_RDONLY) = 34
read(34, "\177ELF\2", 5)                = 5
close(34)                               = 0
access("/tmp/fileBdmsiM", W_OK|X_OK)    = 0
stat("/tmp/fileBdmsiM", {st_mode=S_IFREG|0700, st_size=55855, ...}) = 0
brk(0x559dfe6f1000)                     = 0x559dfe6f1000
openat(AT_FDCWD, "/tmp/fileBdmsiM", O_RDONLY) = 34
read(34, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 55855) = 55855
openat(AT_FDCWD, "/tmp/fileMWQQGM", O_RDONLY) = 35
read(35, "\177ELF\2", 5)                = 5
close(35)                               = 0
access("/tmp/fileMWQQGM", W_OK|X_OK)    = 0
stat("/tmp/fileMWQQGM", {st_mode=S_IFREG|0700, st_size=27231, ...}) = 0
openat(AT_FDCWD, "/tmp/fileMWQQGM", O_RDONLY) = 35
read(35, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 27231) = 27231
openat(AT_FDCWD, "/tmp/fileAzhrpY", O_RDONLY) = 36
read(36, "\177ELF\2", 5)                = 5
close(36)                               = 0
access("/tmp/fileAzhrpY", W_OK|X_OK)    = 0
stat("/tmp/fileAzhrpY", {st_mode=S_IFREG|0700, st_size=27231, ...}) = 0
openat(AT_FDCWD, "/tmp/fileAzhrpY", O_RDONLY) = 36
read(36, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 27231) = 27231
openat(AT_FDCWD, "/tmp/.X11-unix", O_RDONLY) = 37
read(37, 0x7fff6dab8073, 5)             = -1 EISDIR (Is a directory)
close(37)                               = 0
openat(AT_FDCWD, "/tmp/file5gt0CK", O_RDONLY) = 37
read(37, "\177ELF\2", 5)                = 5
close(37)                               = 0
access("/tmp/file5gt0CK", W_OK|X_OK)    = 0
stat("/tmp/file5gt0CK", {st_mode=S_IFREG|0700, st_size=34843, ...}) = 0
openat(AT_FDCWD, "/tmp/file5gt0CK", O_RDONLY) = 37
read(37, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 34843) = 34843
openat(AT_FDCWD, "/tmp/filezfYo5F", O_RDONLY) = 38
read(38, "\177ELF\2", 5)                = 5
close(38)                               = 0
access("/tmp/filezfYo5F", W_OK|X_OK)    = 0
stat("/tmp/filezfYo5F", {st_mode=S_IFREG|0700, st_size=27231, ...}) = 0
openat(AT_FDCWD, "/tmp/filezfYo5F", O_RDONLY) = 38
read(38, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 27231) = 27231
openat(AT_FDCWD, "/tmp/filen1mS0z", O_RDONLY) = 39
read(39, "\177ELF\2", 5)                = 5
close(39)                               = 0
access("/tmp/filen1mS0z", W_OK|X_OK)    = 0
stat("/tmp/filen1mS0z", {st_mode=S_IFREG|0700, st_size=27231, ...}) = 0
brk(0x559dfe715000)                     = 0x559dfe715000
openat(AT_FDCWD, "/tmp/filen1mS0z", O_RDONLY) = 39
read(39, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\23\0\0\0\0\0\0"..., 27231) = 27231
openat(AT_FDCWD, "/tmp/fileqf6kOG", O_RDONLY) = 40
read(40, "\177ELF\2", 5)                = 5
close(40)                               = 0
access("/tmp/fileqf6kOG", W_OK|X_OK)    = 0
stat("/tmp/fileqf6kOG", {st_mode=S_IFREG|0700, st_size=142144, ...}) = 0
mmap(NULL, 143360, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f617581e000
openat(AT_FDCWD, "/tmp/fileqf6kOG", O_RDONLY) = 40
read(40, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320g\0\0\0\0\0\0"..., 142144) = 142144
read(40, "", 142144)                    = 0
close(40)                               = 0
openat(AT_FDCWD, "/tmp/fileqf6kOG", O_RDWR) = 40
fstat(40, {st_mode=S_IFREG|0700, st_size=142144, ...}) = 0
mmap(NULL, 143360, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f61757fb000
read(40, "\177", 1)                     = 1
read(40, "E", 1)                        = 1
read(40, "L", 1)                        = 1
read(40, "F", 1)                        = 1
...
...

Do you have anything in env | grep LD_, or just to be sure, grep -az LD_ /proc/environ? Normally ls is not supposed to open files in the first place, so this makes me suspect that either your /bin/ls has been replaced with an off-brand version, or there is an LD_PRELOAD injecting extra code. — grawity_u1686, Commented Jun 17 at 7:13
@grawity_u1686 The output is like this: find library=libc.so.6 [0]; searching search cache=/etc/ld.so.cache trying file=/lib/x86_64-linux-gnu/libc.so.6 find library=libdl.so.2 [0]; searching search cache=/etc/ld.so.cache trying file=/lib/x86_64-linux-gnu/libdl.so.2 calling init: /lib/x86_64-linux-gnu/libc.so.6 calling init: /lib/x86_64-linux-gnu/libdl.so.2 calling init: /lib64/libprocessz.so Looks like libprocessz.so is virus. I may have to reinstall the OS. :( — leetom, Commented Jun 17 at 8:50
@grawity_u1686 Other binaries also have same problem. I removed /etc/ld.so.preload, /etc/ld.so.cache and libprocessz.so etc, but ls still won't work properly. l am wondering if glibc.so is modified. — leetom, Commented Jun 17 at 9:10
It's kind of scary that you've discovered this only because the malware author had a bug in his implementation of ls that caused this issue. — slebetman, Commented Jun 18 at 7:39

grawity_u1686 · Accepted Answer · 2024-06-17 09:31:58Z

16

At this point I think it's safe to conclude that you've got some form of rootkit on your system.

That is, you're running an "improved" version of ls that has been patched to hide the rootkit's own files from view (which is probably why it attempts to open the binaries – I suspect it tries to check whether they're the ones that should become invisible).

In your case, it also appears to be trying to re-deploy itself every time you run it (just in case you were trying to remove it from system). Take a look at sed -n l /etc/cron.daily/0 to see if it has installed any unusual cron jobs.

edited Jun 17 at 9:31

answered Jun 17 at 8:41

grawity_u1686

463k66 gold badges970 silver badges1.1k bronze badges

there are other ls implementations like BSD ls or lsd, and imgls in case of iterm2
– phuclv
Commented Jun 17 at 9:29
3

There are, but I'm not going to enumerate all 200+ of them when that's not really the point in the first place – it was a generic suggestion for bypassing the tampered-with ls (to look around before reinstalling), not a claim that coreutils is the only ls in existence.
– grawity_u1686
Commented Jun 17 at 9:31
On a modern system you can try /usr//lib/klibc/bin/ls which is already present.
– Joshua
Commented Jun 17 at 20:23

Add a comment |

Stack Exchange Network

`ls` command stuck when run as root

UPDATE:

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
linux
filesystems
ls
.

Hot Network Questions

`ls` command stuck when run as root

UPDATE:

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged linuxfilesystemsls.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
linux
filesystems
ls
.