Re: root unable to delete

From: Patrick \ (duane@sukkha.info)
Date: 11/07/02 

Date: Thu, 7 Nov 2002 14:55:04 -0500 (EST)
From: "Patrick \"Duane\" Dunston" <duane@sukkha.info>
To: security-discuss@linuxsecurity.com

The immutable bit may have been set.

chattr +i <file>

or

chattr -R +i <dir> (This would recurvisely apply the immutable bit to
every file and directory under <dir>

The immutable bit doesn't allow files to be edited or deleted even as
root. To remove the bit run:

chattr -i <file>

or

chattr -R -i <dir>

That may be what the attacker did. At least one possibility. I knew
someone who got hacked and that is what the attacker did.

On Thu, 7 Nov 2002, Administrator wrote:

> Greetings All,
>
> I had a machine get hacked on RH 7.2
> Whoever did it made some changes to files
> and did something to the file that does not
> all me to delete the file, when I am logged
> in as root and the file is owned by root and
> is in the group of root and is set as 755 .
> I can't even edit and save the changes to the
> file.
>
> Can someone tell me how they did it ?
>
> I have removed the machine and rebuilt it but
> I would love to know how it was done.
>
> Thanks all,
> Mike
>
>
>
>
> ------------------------------------------------------------------------
> To unsubscribe email security-discuss-request@linuxsecurity.com
> with "unsubscribe" in the subject of the message.
>
> 

-- 
duane

'People demand freedom of speech to make up for the freedom of thought 
which they avoid.'
- Kierkegaard

http://www.linuxsecurity.com/feature_stories/feature_story-116.html
http://www.linuxsecurity.com/feature_stories/dsniff-monitoring.html --
Updated Version
http://www.linuxsecurity.com/feature_stories/feature_story-89.html
http://www.linuxsecurity.com/feature_stories/feature_story-88.html

------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.