[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]



>ale-request at ale.org wrote:
>  
>
>>Send Ale mailing list submissions to
>>	ale at ale.org
>>
>>Today's Topics:
>>
>>   4. Cannot chown unowned files (C. Lee Davis)
>>    
>>
>
>Lee,
>
>By now, I'm sure you've learned that you've been hacked.
>
>First of all, the reason you can't chown them is because the ext2
>attributes have been changed to prevent modification and deletion of
>these files.  This was done with the "chattr" command.  These attributes
>are not displayed by the overlying linux file system structure - they're
>at the ext2 level.  The ones that are typically turned on prevent files
>from being modified or deleted, including the inode that describes the file.
>
>Second,  Look at /etc/rc.d/rc.local.  Don't just more it, look all the
>way at the bottom.  You'll see something like:
>
>    mkdir /usr/local/games/... 2>/dev/null
>    cd /usr/local/games/..././rkid
>    ./setup <password> <port>
>
>Next, look in /usr/local/games/...
>You'll probably see a directory called rk, or rkid.  In that directory
>is the setup script for this root kit.  You'll see that it's replaced
>many programs including ls, ps, pstree, syslogd, login, passwd, sshd,
>and many others.
>
>If you want to keep this system (i.e. not reinstall from scratch),
>removed the ext2 attributes applied to each of these files.  The chattr
>should show that *no* attributes are set.  To find the files that were
>modified:
>    fgrep chattr ./setup
>
>You'll see lines where the attributes are removed, then added.
>Inbetween these is where they've installed their version.
>
>>From there, restore all these files from a known good backup.  You
>should also verify the rpm packages associated with each of these files.
> i.e.:
>	rpm -V passwd openssh
>
>and so on, enumerating the packages to which each comprised file belongs.
>
>Also, you should assume that everyone that has logged into this system
>as unwillingly given their password to the crackers.  Make sure that
>those users change their password to something different (after cleaning
>up, of course).
>
>Make sure you install the latest version of ssh.  4.2 is current.  This
>can be found on openssh.org.
>
>How do I know all this?  First hand experience.
>
>Regards,
>    - Chuck
>_______________________________________________
>Ale mailing list
>Ale at ale.org
&gt;<a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
&gt;
&gt;
&gt;  
&gt;
what is the link to the ale digest?
how can I view it?
I looked all over the home page and google and no luck

reading other messages and between the lines is it the mail feed?

thanks in advance
jt


</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00433" href="msg00433.html">[ale] Ale Digest, Vol 57, Issue 7</a></strong>
<ul><li><em>From:</em> chuck at cehuber.org (Chuck Huber)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00445.html">[ale] OT:  Geek Squad to repaint cars in CA</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00447.html">[ale] OT: Geek Squad to repaint cars in CA</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00433.html">[ale] Ale Digest, Vol 57, Issue 7</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00449.html">[ale] What Where is the Ale Digest?</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00446"><strong>Date</strong></a></li>
<li><a href="threads.html#00446"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>