On Sun, Jan 21, 2001 at 04:35:13PM -0800, Adrian Hunt wrote:
> All,
> The hacker who gained access to our system has me
> baffled.. I can't delete many files on the FS as root
> even using a clean copy of rm. At first I thought
> perhaps chattr.. but a clean copy of lsattr shows
> they're not locked. Yet I still can't delete their
> hacked versions of /bin/login, etc. Is there anything
> else I can do to delete these files? I need to
> reinstall some key RPM's to cleanse the system for
> now... and RPM dies 'cause it can't delete the files
> either. This is becoming more than a major problem
> for us :-(
What is your current status on this box. If you
are still struggling with it, can you check for the existance
of a /usr/src/.puta directory, or any other .??* directory
in /usr/src/ for that matter. You may be dealing with a
variation on the Ramen worm that includes a very serious
root kit. If you can confirm this, I need a copy of the contents
of that directory ASAP. You can mail it to either [EMAIL PROTECTED]
(Internet Security Systems, Inc) or [EMAIL PROTECTED] You can
encrypt it to my PGP key 0xdf1dd471, if you wish.
You may have to boot from clean read-only media (the LinuxCare
rescue CD would be a good choice) and do not trust ANY binaries on
the system itself. That includes the kernel and kernel modules! If
you haven't already, you will probably have to reinstall to recover.
> TIA,
> Adrian
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
