Re:Root can't delete files

From: Nick Edens (nedens@checkerdist.com)
Date: 10/10/01


To: SECURITY-BASICS@SECURITYFOCUS.COM
From: "Nick Edens" <nedens@checkerdist.com>
Date: 10 Oct 2001 13:29:00 -0400
Subject: Re:Root can't delete files
Message-Id: <JA8AAAAAABkKuwABYQABVF9A4NhU@checkerdist.com>

It sounds to me like your intruder changed more than just the /bin/login file.
I would do a os rebuild and only restore data from your tapes. That is assuming
that you make regular backups.

- Nick Edens
  Checker Distributors

"The weak have one weapon: the errors of those who think they are strong."
Georges Bidault (1899-1983); French resistance leader

Thanas (10/10/01 6:02 AM):
>Hi,
>
>after an intrusion in a linux system (2.2) using (I suppose) a
>vulnerability in bind 8.2.2 I've experienced a strange behaviour:
>
>the attacker installed a corrupted version of /bin/login and when
>i typed:
>
># mv /safe/version/path/login /bin/login
>
>I just obtained the message 'Operation not permitted' ... How is
>it possible ? I had to use low level tools directly on the ext2
>filesystem to delete that file ...
>
>thanks



Relevant Pages

  • UNBELIEVABLE
    ... after facing a rebuild after days of HP hardware ... the same file structure as before ... panic dump when vmunix, then root tried to load, but after an install, the ...
    (Tru64-UNIX-Managers)
  • Re: this /rescue thing
    ... > There was some pilot error in the order in which you updated your system ... > and then rebuild and install it. ... I wish back the days of a 40 MB root FS. ...
    (freebsd-current)
  • problem adding swap file on fedora core 4
    ... I have just rebuild my Fedora box and I cannot seem to get a swap file ... As root I did this:- ...
    (comp.os.linux.misc)
  • Re: passwd hashes in master.passwd: disabled?
    ... Seamus Abshere writes: ... As root? ... forgot to rebuild the database. ...
    (freebsd-questions)
  • Re: cant run gnome as root - addition
    ... I work with unix-like OS's since 1971 when intrusion, theft, etc was ... unthinkable but we never used root as a user. ... omnipotent - just as each user in Windows when he has the knowledge, ...
    (Ubuntu)