|
|
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] |
--- Reçu de VITEUR.BUNTERMA 04 72 96 57 77 08/11/02 10.39
>From the little knowledge I have of hacked machines the most common
element that was done was to install a root kit.
This piece of nastiness when installed does all sorts of things to help
the attacker manipulate the box. I have personally seen another root shell
started that was extremely difficult to find. What it actually masqueraded
as was another httpd line in a ps aux output - very clever.
So a root kit may have been installed onto your box. The attacker may or
may not know exactly what was done to take control : only the fact that
the root kit is controlling things for him (or her).
Try doing a search on root kits in Google, there are also several progs
out there that can discover root kits - once you know which one was used
you may be able to find the things it changes.
Rgs,
Matt
--------------------------------------------------------------------------
Date: Thu, 7 Nov 2002 14:55:04 -0500
Subject: Re: root unable to delete
The immutable bit may have been set.
chattr +i <file>
or
chattr -R +i <dir> (This would recurvisely apply the immutable bit to
every file and directory under <dir>
The immutable bit doesn't allow files to be edited or deleted even as
root. To remove the bit run:
chattr -i <file>
or
chattr -R -i <dir>
That may be what the attacker did. At least one possibility. I knew
someone who got hacked and that is what the attacker did.
On Thu, 7 Nov 2002, Administrator wrote:
> Greetings All,
>
> I had a machine get hacked on RH 7.2
> Whoever did it made some changes to files
> and did something to the file that does not
> all me to delete the file, when I am logged
> in as root and the file is owned by root and
> is in the group of root and is set as 755 .
> I can't even edit and save the changes to the
> file.
>
> Can someone tell me how they did it ?
>
> I have removed the machine and rebuilt it but
> I would love to know how it was done.
>
> Thanks all,
> Mike
>
>
>
>
> ------------------------------------------------------------------------
> To unsubscribe email security-discuss-request@linuxsecurity.com
> with "unsubscribe" in the subject of the message.
>
>
--
duane
'People demand freedom of speech to make up for the freedom of thought
which they avoid.'
- Kierkegaard
http://www.linuxsecurity.com/feature_stories/feature_story-116.html
http://www.linuxsecurity.com/feature_stories/dsniff-monitoring.html --
Updated Version
http://www.linuxsecurity.com/feature_stories/feature_story-89.html
http://www.linuxsecurity.com/feature_stories/feature_story-88.html
------------------------------------------------------------------------
To unsubscribe email security-discuss-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
---- 08/11/02 10.39 ---- Envoyé à -----------------------------------
-> security-discuss(a)linuxsecurity.com
------------------------------------------------------------------------
To unsubscribe email security-discuss-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
[Home] [Fedora Announce] [Linux Crypto] [Kernel] [Netfilter] [Video for Linux] [Bugtraq] [USB] [Network Security] [Fedora Security]
|