Re: Can't remove /etc/rc.d/init.d/sshd

From: Ralf Muschall (ralf@tecont.de)
Date: 06/19/02

• Next message: G. Ralph Kuntz, MD: "Q: restricted port-forwarding using OpenSSH"
• Previous message: Steve Smith: "Re: Installation of OpenSSH 3.2.3 on Red Hat Linux 6.2?"
• In reply to: those who know me have no need of my name: "Re: Can't remove /etc/rc.d/init.d/sshd"
• Next in thread: Bill Unruh: "Re: Can't remove /etc/rc.d/init.d/sshd"
• Reply: Bill Unruh: "Re: Can't remove /etc/rc.d/init.d/sshd"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Ralf Muschall <ralf@tecont.de>
Date: 19 Jun 2002 15:59:48 +0200

those who know me have no need of my name <not-a-real-address@usa.net> writes:

> if you didn't make all those files immutable you've probably been cracked.

This was my first thought as well, but the file in question is just a
shell script which causes the sshd to be started, so even a root kit
would not have much use from manipulating that.

If the filesystem *is* tampered, there is only one solution (besides
fdisk, mkfs, reinstall): mount it (ro,noexec) into another machine
(into a place where no scripts are sourced etc.) and compare the
checksums of all files.

Btw., why is it in /etc/rc.d/init.d/ ? Some distributions have
/etc/rc.d, others /etc/init.d, some have that stuff below /sbin,
and some of the names are just symlinks to the other variants.
Bu I have yet to see init.d *below* rc.d .

Ralf

-- 
GS d->? s:++>+++ a C++++ UL+++ UH++ P++ L++ E+++ W- N++ o-- K- w--- !O M- V-
PS+>++ PE Y+>++ PGP+ !t !5 !X !R !tv  b+++ DI+++ D?  G+ e++++ h+ r? y?

---

• Next message: G. Ralph Kuntz, MD: "Q: restricted port-forwarding using OpenSSH"
• Previous message: Steve Smith: "Re: Installation of OpenSSH 3.2.3 on Red Hat Linux 6.2?"
• In reply to: those who know me have no need of my name: "Re: Can't remove /etc/rc.d/init.d/sshd"
• Next in thread: Bill Unruh: "Re: Can't remove /etc/rc.d/init.d/sshd"
• Reply: Bill Unruh: "Re: Can't remove /etc/rc.d/init.d/sshd"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: [kde-linux] Mounting with exec flag ... I have a WD external drive and when I mount it through KDE, ... stuff), how can I tell it to mount this drive with the exec, flag? ... And I can copy a shell script to both devices and then execute ... (KDE) Re: Cant remove /etc/rc.d/init.d/sshd ... shell script which causes the sshd to be started, ... fdisk, mkfs, reinstall): mount it into another machine ... (comp.security.ssh) Re: automount usb flash drive? ... attach command on the umass* action. ... >> when I do the following command line command the usb flash drive mount fine ... unless you give it 777 permissions. ... > I found that making a one-line shell script to do the mounting is much ... (freebsd-questions) Re: Mounting external USB disk ... Note that a backup disk should only be mounted when its being accessed - ... The shell script needs to be a bit longer than three lines. ... minimum to check the termination codes output by mount, rsync and umount ... (uk.comp.os.linux) Re: [kde-linux] Mounting with exec flag ... I have a WD external drive and when I mount it through KDE, ... stuff), how can I tell it to mount this drive with the exec, flag? ... And I can copy a shell script to both devices and then execute ... (KDE)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.ssh  > 2002-06