[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- <!--x-content-type: text/plain -->
- <!--x-date: Fri, 26 Aug 2005 09:29:30 -0400 -->
- <!--x-from-r13: yvahk ng wgubyzrf.pbz (w.g. ubyzrf) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] Ale Digest, Vol 57, Issue 7 -->
- <li><em>date</em>: Fri, 26 Aug 2005 09:29:30 -0400</li>
- <li><em>from</em>: linux at jtholmes.com (j.t. holmes)</li>
- <li><em>in-reply-to</em>: <<a href="msg00433.html">[email protected]</a>></li>
- <li><em>references</em>: <[email protected]> <<a href="msg00433.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] Ale Digest, Vol 57, Issue 7</li>
>ale-request at ale.org wrote:
>>Send Ale mailing list submissions to
>> ale at ale.org
>> 4. Cannot chown unowned files (C. Lee Davis)
>By now, I'm sure you've learned that you've been hacked.
>First of all, the reason you can't chown them is because the ext2
>attributes have been changed to prevent modification and deletion of
>these files. This was done with the "chattr" command. These attributes
>are not displayed by the overlying linux file system structure - they're
>at the ext2 level. The ones that are typically turned on prevent files
>from being modified or deleted, including the inode that describes the file.
>Second, Look at /etc/rc.d/rc.local. Don't just more it, look all the
>way at the bottom. You'll see something like:
> mkdir /usr/local/games/... 2>/dev/null
> cd /usr/local/games/..././rkid
> ./setup <password> <port>
>Next, look in /usr/local/games/...
>You'll probably see a directory called rk, or rkid. In that directory
>is the setup script for this root kit. You'll see that it's replaced
>many programs including ls, ps, pstree, syslogd, login, passwd, sshd,
>and many others.
>If you want to keep this system (i.e. not reinstall from scratch),
>removed the ext2 attributes applied to each of these files. The chattr
>should show that *no* attributes are set. To find the files that were
> fgrep chattr ./setup
>You'll see lines where the attributes are removed, then added.
>Inbetween these is where they've installed their version.
>>From there, restore all these files from a known good backup. You
>should also verify the rpm packages associated with each of these files.
> rpm -V passwd openssh
>and so on, enumerating the packages to which each comprised file belongs.
>Also, you should assume that everyone that has logged into this system
>as unwillingly given their password to the crackers. Make sure that
>those users change their password to something different (after cleaning
>up, of course).
>Make sure you install the latest version of ssh. 4.2 is current. This
>can be found on openssh.org.
>How do I know all this? First hand experience.
> - Chuck
>Ale mailing list
>Ale at ale.org
><a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale">http://www.ale.org/mailman/listinfo/ale</a>
what is the link to the ale digest?
how can I view it?
I looked all over the home page and google and no luck
reading other messages and between the lines is it the mail feed?
thanks in advance
<li><strong><a name="00433" href="msg00433.html">[ale] Ale Digest, Vol 57, Issue 7</a></strong>
<ul><li><em>From:</em> chuck at cehuber.org (Chuck Huber)</li></ul></li>
<li>Prev by Date:
<strong><a href="msg00445.html">[ale] OT: Geek Squad to repaint cars in CA</a></strong>
<li>Next by Date:
<strong><a href="msg00447.html">[ale] OT: Geek Squad to repaint cars in CA</a></strong>
<li>Previous by thread:
<strong><a href="msg00433.html">[ale] Ale Digest, Vol 57, Issue 7</a></strong>
<li>Next by thread:
<strong><a href="msg00449.html">[ale] What Where is the Ale Digest?</a></strong>