Security Incidents mailing list archives
Re: Machine compromised
From: Gamble <a629w () unb ca>
Date: Wed, 9 Jan 2002 17:55:53 -0400 (AST)
Hi
But now for the question. I can't seem to do anything to /usr/bin/ssh2d and /etc/rc.d/init.d/network. I can't remove, move, changes permissions on it in any way. # stat /usr/bin/ssh2d /etc/rc.d/init.d/network File: "/usr/bin/ssh2d" Size: 205288 Filetype: Regular File Mode: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Device: 8,0 Inode: 4119 Links: 1 Access: Wed Jan 9 18:09:19 2002(00000.00:54:46) Modify: Sat Jan 5 14:43:32 2002(00004.04:20:33) Change: Sat Jan 5 14:43:34 2002(00004.04:20:31) File: "/etc/rc.d/init.d/network" Size: 5140 Filetype: Regular File Mode: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Device: 8,0 Inode: 121925 Links: 1 Access: Wed Jan 9 18:58:44 2002(00000.00:05:21) Modify: Sat Jan 5 14:43:32 2002(00004.04:20:33) Change: Sat Jan 5 14:43:34 2002(00004.04:20:31) But, for example: # mv ssh2d ssh2d_foo mv: cannot move `ssh2d' to `ssh2d_foo': Operation not permitted As far a I can see lsmod has not been trojaned, and it doesn't look like there's any suspicious kernel modules loaded. So why do I get 'Operation not permitted' when I try to do anything to the files?
Perhaps the attacker has been playing with the attribute on the file. On BSD systems chflags can be used to do this, and on SYSVish systems, you can use chattr. The following is taken from a box running debian. bit@julie:/tmp% touch imm bit@julie:/tmp% sudo chattr +i imm bit@julie:/tmp% ls -la imm -rw-rw-r-- 1 bit bit 0 Jan 9 17:35 imm bit@julie:/tmp% id uid=1002(bit) gid=1002(bit) groups=1002(bit),25(floppy),29(audio),999(ss),0(root) bit@julie:/tmp% rm imm rm: remove write-protected file `imm'? y rm: cannot unlink `imm': Operation not permitted bit@julie:/tmp% mv /bin/sh imm mv: cannot remove `imm': Operation not permitted bit@julie:/tmp% sudo chattr -i imm bit@julie:/tmp% rm imm bit@julie:/tmp% ls -la imm ls: imm: No such file or directory bit@julie:/tmp% -- Jamie ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Machine compromised Jan van Rensburg (Jan 09)
- Re: Machine compromised Gamble (Jan 09)
- Re: Machine compromised Petrus Repo (Jan 09)
- <Possible follow-ups>
- RE: Machine compromised dlaumann (Jan 09)
- Re: Machine compromised Jan van Rensburg (Jan 15)