Re: Can't remove file as root

From: Michael Heiming (michael+USENET@heiming.de)
Date: 02/23/02 

From: Michael Heiming <michael+USENET@heiming.de>
Date: Sat, 23 Feb 2002 16:56:20 +0100

[Follow-up corrected]

Bob Lawson (<3c77b11a.358357950@news.cogeco.ca>):

> On Sat, 23 Feb 2002 13:29:33 +0100, Teddy <bla@bla.bla> wrote:
>
>>I have the problem, that I can't remove a file as root anymore,
>>and I don't know why. The file was replaced by a hacker.
>>
>>root@host:/bin # ls -l ps
>>-rwxr-xr-x 1 root root 13583 Feb 9 01:04 ps
>>root@host:/bin # rm ps
>>rm: remove `ps', overriding mode 0755? y
>>rm: ps: Operation not permitted
>>root@host:/bin # chmod 0700 ps
>>chmod: ps: Operation not permitted
>>
>>Thanks for Help
>>
>>Teddy
> To be totally sure you must reinstall/recover from backups.
>
> It sounds line they might have changed the userid of root, so
> although
> you are loggin in as root you do not have root permissions. Root
> might have been changed to another user.
>
> Check the password file for this. You can fix it by booting off
> the emergency boot diskette and editing the password file.

Nope, there is no simple fix other then reinstall from scratch,
applying the latest security patches from your distro, shutting
down unneeded services and setting up a firewall, before bringing
the box online again.

Please check the URL, I allready posted to this thread.

5.6) I've been compromised, what should I do?
http://www.linuxsecurity.com/docs/colsfaq.html#5.6

> Bob Lawson
> Parkridge Consulting
> Innovative Unix & Linux Solutions
> Visit us at www.parkridge.on.ca
> blawson@parkridge.on.ca

Michael Heiming 

--
Remove the +SIGNS case mail bounces.

Relevant Pages

  • Re: changing root account name
    ... Subject: changing root account name ... >>> superuser account to be the first line in the passwd file? ... Some versions of Unix are not driven directly off the password file ...
    (Focus-Linux)
  • Re: Locked Out of FreeBSD 5.2 - Newbie
    ... >are owned by toor instead of root. ... toor is a plain vanilla /bin/sh login with no bells and whistles. ... and in the password file there should be root ... >> you a bourne shell prompt. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Locked myself out.. AGAIN!!
    ... root's entry in my password file: ... Now I can't su to root. ... And my ISP is closed on Sundays. ... way I can fix this on my own? ...
    (freebsd-questions)
  • Re: KUser corrupts /etc/passwd under Freebsd 5.2.1 ??
    ... Anytime you manipulate the password file USE ... The root passwd shoul look like this in master.passwd ... Use ONLY vipw to edit the password file. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Cant remove file as root
    ... >>I have the problem, that I can't remove a file as root anymore, ... > To be totally sure you must reinstall/recover from backups. ... > the emergency boot diskette and editing the password file. ... Nope, there is no simple fix other then reinstall from scratch, ...
    (comp.os.linux.security)