Security Incidents mailing list archives

Re: Machine compromised

From: Gamble <a629w () unb ca>
Date: Wed, 9 Jan 2002 17:55:53 -0400 (AST)

Hi

But now for the question. I can't seem to do anything to /usr/bin/ssh2d and
/etc/rc.d/init.d/network. I can't remove, move, changes permissions on it in
any way. 

# stat /usr/bin/ssh2d /etc/rc.d/init.d/network
  File: "/usr/bin/ssh2d"
  Size: 205288       Filetype: Regular File
  Mode: (0755/-rwxr-xr-x)         Uid: (    0/    root)  Gid: (    0/
root)
Device:  8,0   Inode: 4119      Links: 1
Access: Wed Jan  9 18:09:19 2002(00000.00:54:46)
Modify: Sat Jan  5 14:43:32 2002(00004.04:20:33)
Change: Sat Jan  5 14:43:34 2002(00004.04:20:31)

  File: "/etc/rc.d/init.d/network"
  Size: 5140         Filetype: Regular File
  Mode: (0755/-rwxr-xr-x)         Uid: (    0/    root)  Gid: (    0/
root)
Device:  8,0   Inode: 121925    Links: 1
Access: Wed Jan  9 18:58:44 2002(00000.00:05:21)
Modify: Sat Jan  5 14:43:32 2002(00004.04:20:33)
Change: Sat Jan  5 14:43:34 2002(00004.04:20:31)

But, for example: 
# mv ssh2d ssh2d_foo
mv: cannot move `ssh2d' to `ssh2d_foo': Operation not permitted

As far a I can see lsmod has not been trojaned, and it doesn't look like
there's any suspicious kernel modules loaded. So why do I get 'Operation not
permitted' when I try to do anything to the files?


Perhaps the attacker has been playing with the attribute on the file.

On BSD systems chflags can be used to do this, and on SYSVish systems, you
can use chattr.  The following is taken from a box running debian.


bit@julie:/tmp% touch imm
bit@julie:/tmp% sudo chattr +i imm
bit@julie:/tmp% ls -la imm
-rw-rw-r--    1 bit      bit             0 Jan  9 17:35 imm
bit@julie:/tmp% id
uid=1002(bit) gid=1002(bit) groups=1002(bit),25(floppy),29(audio),999(ss),0(root)
bit@julie:/tmp% rm imm
rm: remove write-protected file `imm'? y
rm: cannot unlink `imm': Operation not permitted
bit@julie:/tmp% mv /bin/sh imm
mv: cannot remove `imm': Operation not permitted
bit@julie:/tmp% sudo chattr -i imm
bit@julie:/tmp% rm imm
bit@julie:/tmp% ls -la imm
ls: imm: No such file or directory
bit@julie:/tmp%


-- Jamie


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Machine compromised Jan van Rensburg (Jan 09)
- Re: Machine compromised Gamble (Jan 09)
- Re: Machine compromised Petrus Repo (Jan 09)
- <Possible follow-ups>
- RE: Machine compromised dlaumann (Jan 09)
- Re: Machine compromised Jan van Rensburg (Jan 15)