[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] Ale Digest, Vol 57, Issue 7

Chuck Huber wrote:

>ale-request at ale.org wrote:
>>Send Ale mailing list submissions to
>>	ale at ale.org
>>Today's Topics:
>>   4. Cannot chown unowned files (C. Lee Davis)
>By now, I'm sure you've learned that you've been hacked.
>First of all, the reason you can't chown them is because the ext2
>attributes have been changed to prevent modification and deletion of
>these files.  This was done with the "chattr" command.  These attributes
>are not displayed by the overlying linux file system structure - they're
>at the ext2 level.  The ones that are typically turned on prevent files
>from being modified or deleted, including the inode that describes the file.
>Second,  Look at /etc/rc.d/rc.local.  Don't just more it, look all the
>way at the bottom.  You'll see something like:
>    mkdir /usr/local/games/... 2>/dev/null
>    cd /usr/local/games/..././rkid
>    ./setup <password> <port>
>Next, look in /usr/local/games/...
>You'll probably see a directory called rk, or rkid.  In that directory
>is the setup script for this root kit.  You'll see that it's replaced
>many programs including ls, ps, pstree, syslogd, login, passwd, sshd,
>and many others.
>If you want to keep this system (i.e. not reinstall from scratch),
>removed the ext2 attributes applied to each of these files.  The chattr
>should show that *no* attributes are set.  To find the files that were
>    fgrep chattr ./setup
>You'll see lines where the attributes are removed, then added.
>Inbetween these is where they've installed their version.
>>From there, restore all these files from a known good backup.  You
>should also verify the rpm packages associated with each of these files.
> i.e.:
>	rpm -V passwd openssh
>and so on, enumerating the packages to which each comprised file belongs.
>Also, you should assume that everyone that has logged into this system
>as unwillingly given their password to the crackers.  Make sure that
>those users change their password to something different (after cleaning
>up, of course).
>Make sure you install the latest version of ssh.  4.2 is current.  This
>can be found on openssh.org.
>How do I know all this?  First hand experience.
>    - Chuck
>Ale mailing list
>Ale at ale.org
what is the link to the ale digest?
how can I view it?
I looked all over the home page and google and no luck

reading other messages and between the lines is it the mail feed?

thanks in advance