Re: Can't remove file as root
From: Bill Unruh (unruh@physics.ubc.ca)Date: 02/24/02
- Next message: Marty Fouts: "Re: Microsoft finally acknowledges the security drumbeats"
- Previous message: ynotssor: "Re: Can't remove file as root"
- In reply to: ynotssor: "Re: Can't remove file as root"
- Next in thread: Sven Vermeulen: "Re: Can't remove file as root"
- Next in thread: terry: "Re: Can't remove file as root"
- Reply: Sven Vermeulen: "Re: Can't remove file as root"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: unruh@physics.ubc.ca (Bill Unruh) Date: 24 Feb 2002 01:10:44 GMT
In <3c782572_4@corp-news.newsgroups.com> "ynotssor" <ynotssorAT hotmail dot `\rm -rf /` com> writes:
]"Bob Lawson" <blawson@parkridge.on.ca> wrote in message
]news:3c77b11a.358357950@news.cogeco.ca...
][...]
]>>I have the problem, that I can't remove a file as root anymore, and I
]>>don't know why. The file was replaced by a hacker.
]>>
]>>root@host:/bin # ls -l ps
]>>-rwxr-xr-x 1 root root 13583 Feb 9 01:04 ps
]>>root@host:/bin # rm ps
]>>rm: remove `ps', overriding mode 0755? y
]>>rm: ps: Operation not permitted
]>>root@host:/bin # chmod 0700 ps
]>>chmod: ps: Operation not permitted
][...]
]>
man lsattr
man chattr
]> To be totally sure you must reinstall/recover from backups.
]NO!!. Reformat and re-install the OS from distribution media. DO NOT enable the
]services that allowed for the initial compromise until they are replaced with
]secure versions. Backups may only be used for non-sytem data recovery, and then
]only after careful consideration of the possibilities.
Not terribly helpful .
Backups could be used for system as well, as long as you make sure that
the backup itself is not broken.
on a rpm system, so
rpm -Va|grep '^..5'>/tmp/verify
and look at the files there Some are config files, which should have
been changed, If some are system files, then reinstall.
After reinstall make sue you instal all of the security patches. Then
also do
find / -perm +6000 -ls
to find all of the suid root files. some should be (rpm -Va -f
name/of/file) but some may have been planted by the attacker.
Also change each and every password.
]There is no fix, just re-installation of the entire OS.
]The "rm" may be a trojan as well as "login", "passwd" and any other
]commonly-used system commands.
]Any or all of them may have been replaced by the rootkit.
- Next message: Marty Fouts: "Re: Microsoft finally acknowledges the security drumbeats"
- Previous message: ynotssor: "Re: Can't remove file as root"
- In reply to: ynotssor: "Re: Can't remove file as root"
- Next in thread: Sven Vermeulen: "Re: Can't remove file as root"
- Next in thread: terry: "Re: Can't remove file as root"
- Reply: Sven Vermeulen: "Re: Can't remove file as root"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
