One thing I do not understand is why a manual clean-up is being
attempted... personally I would never trust a system which had been
compromised. Why not nab the critical data and start over?
On Thu, 25 Jan 2001, Michael H. Warfield spewed into the bitstream:
MHW>On Thu, Jan 25, 2001 at 04:48:58AM -0330, Mike Pelley wrote:
MHW>> Folks,
MHW>> I'm cleaning up a system that was hacked (curses on wu-ftp!). There are a
MHW>> number of files that cannot be reverted to their non-hacked form,
MHW>> specifically, /bin/ps and /bin/netsat. If I try to delete them, for example
MHW>> /bin/ps, I get this error:
MHW>> rm: cannot unlink `ps': Operation not permitted
MHW>> I've taken a look at status and get:
MHW>> File: "/bin/ps"
MHW>> Size: 33281 Filetype: Regular File
MHW>> Mode: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/
MHW>> root)
MHW>> Device: 48,1 Inode: 108742 Links: 1
MHW>> Access: Thu Jan 25 03:38:03 2001(00000.01:02:45)
MHW>> Modify: Mon Jan 15 13:12:44 2001(00009.15:28:04)
MHW>> Change: Mon Jan 22 19:47:13 2001(00002.08:53:35)
MHW>
MHW> Check it with lsattr and see what you get.
MHW>
MHW>> So, I guess this means that the file has a hard link to some other file.
MHW>> Then I did a search for that inode:
MHW>> find / -inum 108742 -print
MHW>> but I don't find any other files that are linked to it!
MHW>
MHW> No. One link into the file system.
MHW>
MHW>> There has to be some way to delete these files. What am I missing?
MHW>
MHW> Potentially several things. The file "attributes" (lsattr/chattr)
MHW>may be set to something like RO or Append-Only. The kernel may be modify
MHW>with a stealth module. You've definitely got a root kit on that system
MHW>and should seriously consider reinstalling. This time, update the system
MHW>and keep it up to date. That bug was fixed months ago!
MHW>
MHW> One other thing, real important to me... Check to see if you have
MHW>a directory /usr/src/.puta on that system. If you do, tar it up and mail
MHW>it to me at Internet Security Systems, ASAP, please! It may be a new,
MHW>vicious, version of the Ramen worm and I need a specimen. My address
MHW>there is [EMAIL PROTECTED], or you can send it here to [EMAIL PROTECTED] My
MHW>PGP key is 0xdf1dd471 if you want to encrypt it. I need to determine
MHW>the extent of the compromise in this new worm so I can advise people
MHW>on the action to take when hit! Anyone with a compromised system should
MHW>check for that directory and contact me directly if they find it!
MHW>
MHW> If it is what I think it is, you might not be able to even trust
MHW>the kernel you are booting with, because of the stealth modules.
--
Chuck Mead, Owner, MoonGroup.com
[EMAIL PROTECTED]
GnuPG Public Key Available: http://wwwkeys.us.pgp.net
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
