Security Incidents mailing list archives

Re: Compromised...

From: razor () LDC RO (Alexandru Popa)
Date: Tue, 15 Feb 2000 08:51:50 +0200


On Mon, 14 Feb 2000, Stephen J. Friedl wrote:

While trying to get the system back up enough to assess, I found that I could
not replace certain binaries in /bin with fresh-from-CD versions: a few
limited files got "operation not permitted" when I tried to rename or remove
them.

I was running Red Hat Linux 5.2: it is conceivable that he could have installed
some kind of kernel module to have helped keep him around? I still have the
old drive freeze-dried and available.


Linux has file attributes, besides permissions. you could do a lsattr on
the files. if they have the "a" (append-only) or "i" (immutable) flag,
then you could replace them by removing the flag first, i.e.: "chattr -ia
filename"

------------+------------------------------------------
Alex Popa,  |There never was a good war or a bad peace
razor () ldc ro|                   -- B. Franklin
------------+------------------------------------------
"It took the computing power of three C-64s to fly to the Moon.
It takes a 486 to run Windows 95. Something is wrong here."

Current thread:

Re: Compromised..., (continued)
- - - Re: Compromised... Jon Lewis (Feb 07)
    - Re: Compromised... Joshua Krage (Feb 08)
    - Re: Compromised... Rich Burroughs (Feb 09)
    - Re: Compromised... Lane Davis (Feb 07)
    - Re: Compromised... Marianovich Felix (Feb 08)
    - Re: Compromised... Sebastian (Feb 08)
    - 195.0.0.0/8 Scan Source amused () POBOX COM (Feb 10)
    - hacked Anton (Feb 14)
    - Re: Compromised... Stephen J. Friedl (Feb 14)
    - Re: Compromised... Derek Vadala (Feb 14)
    - Re: Compromised... Alexandru Popa (Feb 14)