Re: Root can't delete filesFrom: William York (email@example.com)
- Previous message: Simon Byrnand: "Re: Root can't delete files"
- In reply to: Thanas: "Root can't delete files"
- Next in thread: Brian Kejser: "Re: Root can't delete files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <firstname.lastname@example.org> Date: Wed, 10 Oct 2001 12:07:25 -0700 (PDT) From: William York <email@example.com> Subject: Re: Root can't delete files To: Thanas <firstname.lastname@example.org>, Focus Linux <email@example.com>
> after an intrusion in a linux system (2.2) using (I suppose) a
> vulnerability in bind 8.2.2 I've experienced a strange behaviour:
I'd say it's time to upgrade to a later version of BIND.
> the attacker installed a corrupted version of /bin/login
If /bin/login is suspect, what makes you think the rest of the system
> and when i typed:
> # mv /safe/version/path/login /bin/login
> I just obtained the message 'Operation not permitted' ... How is
> it possible ? I had to use low level tools directly on the ext2
> filesystem to delete that file ...
Um, I'd look first at a corrupted version of 'rm', 'mv' and all other
executables. I would personally recommend that you back up critical
data and baseline the system, making sure that you change all
passwords along the way. Once the system has been compromised once,
especially as 'root', it's very hard and very tedious to repair it.
Do You Yahoo!?
Make a great connection at Yahoo! Personals.