Re: Can't remove file as root

From: ynotssor (ynotssorAT@info.der-keiler.de)
Date: 02/24/02

Next message: Marty Fouts: "Re: Microsoft finally acknowledges the security drumbeats"

Previous message: bd: "Re: Can't remove file as root"
In reply to: Bob Lawson: "Re: Can't remove file as root"
Next in thread: Bill Unruh: "Re: Can't remove file as root"
Next in thread: terry: "Re: Can't remove file as root"
Reply: Bill Unruh: "Re: Can't remove file as root"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "ynotssor" <ynotssorAT hotmail dot `\rm -rf /` com>
Date: Sat, 23 Feb 2002 15:26:35 -0800

"Bob Lawson" <blawson@parkridge.on.ca> wrote in message
news:3c77b11a.358357950@news.cogeco.ca...
[...]
>>I have the problem, that I can't remove a file as root anymore, and I
>>don't know why. The file was replaced by a hacker.
>>
>>root@host:/bin # ls -l ps
>>-rwxr-xr-x 1 root root 13583 Feb 9 01:04 ps
>>root@host:/bin # rm ps
>>rm: remove `ps', overriding mode 0755? y
>>rm: ps: Operation not permitted
>>root@host:/bin # chmod 0700 ps
>>chmod: ps: Operation not permitted
[...]
>
> To be totally sure you must reinstall/recover from backups.

NO!!. Reformat and re-install the OS from distribution media. DO NOT enable the
services that allowed for the initial compromise until they are replaced with
secure versions. Backups may only be used for non-sytem data recovery, and then
only after careful consideration of the possibilities.

> It sounds line they might have changed the userid of root, so although
> you are loggin in as root you do not have root permissions. Root
> might have been changed to another user.
>
> Check the password file for this. You can fix it by booting off the
> emergency boot diskette and editing the password file.

There is no fix, just re-installation of the entire OS.

The "rm" may be a trojan as well as "login", "passwd" and any other
commonly-used system commands.

Any or all of them may have been replaced by the rootkit.

tony

Next message: Marty Fouts: "Re: Microsoft finally acknowledges the security drumbeats"
Previous message: bd: "Re: Can't remove file as root"
In reply to: Bob Lawson: "Re: Can't remove file as root"
Next in thread: Bill Unruh: "Re: Can't remove file as root"
Next in thread: terry: "Re: Can't remove file as root"
Reply: Bill Unruh: "Re: Can't remove file as root"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: changing root account name
... Subject: changing root account name ... >>> superuser account to be the first line in the passwd file? ... Some versions of Unix are not driven directly off the password file ...
(Focus-Linux)
Re: Locked Out of FreeBSD 5.2 - Newbie
... >are owned by toor instead of root. ... toor is a plain vanilla /bin/sh login with no bells and whistles. ... and in the password file there should be root ... >> you a bourne shell prompt. ...
(comp.unix.bsd.freebsd.misc)
Re: Locked myself out.. AGAIN!!
... root's entry in my password file: ... Now I can't su to root. ... And my ISP is closed on Sundays. ... way I can fix this on my own? ...
(freebsd-questions)
Re: KUser corrupts /etc/passwd under Freebsd 5.2.1 ??
... Anytime you manipulate the password file USE ... The root passwd shoul look like this in master.passwd ... Use ONLY vipw to edit the password file. ...
(comp.unix.bsd.freebsd.misc)
Re: Locked myself out.. AGAIN!!
... root's entry in my password file: ... Now I can't su to root. ... way I can fix this on my own? ... Then reboot again. ...
(freebsd-questions)