TR: Root can't delete files

From: Tosoni (jean-pierre.tosoni@libertysurf.fr)
Date: 10/21/01


Message-ID: <01C159B5.E8B1BEC0@jp>
From: Tosoni <jean-pierre.tosoni@libertysurf.fr>
To: "'focus-linux@securityfocus.com'" <focus-linux@securityfocus.com>
Subject: TR: Root can't delete files
Date: Sat, 20 Oct 2001 22:23:51 +-200

Thanas wrote :
> I had already replaced the kernel (no module support now!) and everithing under:
/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

I have been troyaned twice in the beginning of this year with a rootkit that attacked /bin/login and other executables as well. Very similar to your problem.

I advise you that I found troyan files in some unexpected directories, namely /dev and /usr/lib.

I reloaded the whole O.S. so I am now "safe", but if you don't do that you MUST check for unexpected files and/or hidden files and directories in other places on your system. You could also establish a list of ALL your actual files and check it against the list of files you installed from archives.

My intruder also tampered with my RPM database, so don't rely too much on the validity of this. Check the update time of the RPM database as a first hint.

JP Tosoni