[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] Ale Digest, Vol 57, Issue 7
- Subject: [ale] Ale Digest, Vol 57, Issue 7
- From: chuck at cehuber.org (Chuck Huber)
- Date: Thu, 25 Aug 2005 18:42:18 -0400
- In-reply-to: <[email protected]>
- References: <[email protected]>
ale-request at ale.org wrote:
> Send Ale mailing list submissions to
> ale at ale.org
> Today's Topics:
> 4. Cannot chown unowned files (C. Lee Davis)
By now, I'm sure you've learned that you've been hacked.
First of all, the reason you can't chown them is because the ext2
attributes have been changed to prevent modification and deletion of
these files. This was done with the "chattr" command. These attributes
are not displayed by the overlying linux file system structure - they're
at the ext2 level. The ones that are typically turned on prevent files
from being modified or deleted, including the inode that describes the file.
Second, Look at /etc/rc.d/rc.local. Don't just more it, look all the
way at the bottom. You'll see something like:
mkdir /usr/local/games/... 2>/dev/null
./setup <password> <port>
Next, look in /usr/local/games/...
You'll probably see a directory called rk, or rkid. In that directory
is the setup script for this root kit. You'll see that it's replaced
many programs including ls, ps, pstree, syslogd, login, passwd, sshd,
and many others.
If you want to keep this system (i.e. not reinstall from scratch),
removed the ext2 attributes applied to each of these files. The chattr
should show that *no* attributes are set. To find the files that were
fgrep chattr ./setup
You'll see lines where the attributes are removed, then added.
Inbetween these is where they've installed their version.
>From there, restore all these files from a known good backup. You
should also verify the rpm packages associated with each of these files.
rpm -V passwd openssh
and so on, enumerating the packages to which each comprised file belongs.
Also, you should assume that everyone that has logged into this system
as unwillingly given their password to the crackers. Make sure that
those users change their password to something different (after cleaning
up, of course).
Make sure you install the latest version of ssh. 4.2 is current. This
can be found on openssh.org.
How do I know all this? First hand experience.