Security Incidents mailing list archives
Re: Compromised...
From: derek () USFCA EDU (Derek Vadala)
Date: Mon, 14 Feb 2000 22:48:29 -0800
On Mon, 14 Feb 2000, Stephen J. Friedl wrote:
While trying to get the system back up enough to assess, I found that I could not replace certain binaries in /bin with fresh-from-CD versions: a few limited files got "operation not permitted" when I tried to rename or remove them. I was running Red Hat Linux 5.2: it is conceivable that he could have installed some kind of kernel module to have helped keep him around? I still have the old drive freeze-dried and available.
Sure. But it's more likely that his root kit did chattr +u files... making them undeleteable. You can use lsattr to check: derek@bored:~ > lsattr /bin/ls -u------ /bin/ls chattr -u files... as root flags removes the flag and then you should be able to replace. +++ath Derek Vadala, derek () usfca edu, http://www.cynicism.com/~derek
Current thread:
- Re: Compromised..., (continued)
- Re: Compromised... Jim Kinney (Feb 07)
- Re: Compromised... Jon Lewis (Feb 07)
- Re: Compromised... Joshua Krage (Feb 08)
- Re: Compromised... Rich Burroughs (Feb 09)
- Re: Compromised... Lane Davis (Feb 07)
- Re: Compromised... Marianovich Felix (Feb 08)
- Re: Compromised... Sebastian (Feb 08)
- 195.0.0.0/8 Scan Source amused () POBOX COM (Feb 10)
- hacked Anton (Feb 14)
- Re: Compromised... Stephen J. Friedl (Feb 14)
- Re: Compromised... Derek Vadala (Feb 14)
- Re: Compromised... Alexandru Popa (Feb 14)
