On Thu, Jan 25, 2001 at 10:50:52AM -0700, [EMAIL PROTECTED] wrote:
> One thing I do not understand is why a manual clean-up is being
> attempted... personally I would never trust a system which had been
> compromised. Why not nab the critical data and start over?
I don't know his reasons but I really hope he is trying so
I can get a copy of the sucker to do a post mortem on and find out
how it ticks.
> On Thu, 25 Jan 2001, Michael H. Warfield spewed into the bitstream:
> MHW>On Thu, Jan 25, 2001 at 04:48:58AM -0330, Mike Pelley wrote:
> MHW>> Folks,
> MHW>> I'm cleaning up a system that was hacked (curses on wu-ftp!). There are a
> MHW>> number of files that cannot be reverted to their non-hacked form,
> MHW>> specifically, /bin/ps and /bin/netsat. If I try to delete them, for example
> MHW>> /bin/ps, I get this error:
> MHW>> rm: cannot unlink `ps': Operation not permitted
> MHW>> I've taken a look at status and get:
> MHW>> File: "/bin/ps"
> MHW>> Size: 33281 Filetype: Regular File
> MHW>> Mode: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/
> MHW>> root)
> MHW>> Device: 48,1 Inode: 108742 Links: 1
> MHW>> Access: Thu Jan 25 03:38:03 2001(00000.01:02:45)
> MHW>> Modify: Mon Jan 15 13:12:44 2001(00009.15:28:04)
> MHW>> Change: Mon Jan 22 19:47:13 2001(00002.08:53:35)
> MHW>
> MHW> Check it with lsattr and see what you get.
> MHW>
> MHW>> So, I guess this means that the file has a hard link to some other file.
> MHW>> Then I did a search for that inode:
> MHW>> find / -inum 108742 -print
> MHW>> but I don't find any other files that are linked to it!
> MHW>
> MHW> No. One link into the file system.
> MHW>
> MHW>> There has to be some way to delete these files. What am I missing?
> MHW>
> MHW> Potentially several things. The file "attributes" (lsattr/chattr)
> MHW>may be set to something like RO or Append-Only. The kernel may be modify
> MHW>with a stealth module. You've definitely got a root kit on that system
> MHW>and should seriously consider reinstalling. This time, update the system
> MHW>and keep it up to date. That bug was fixed months ago!
> MHW>
> MHW> One other thing, real important to me... Check to see if you have
> MHW>a directory /usr/src/.puta on that system. If you do, tar it up and mail
> MHW>it to me at Internet Security Systems, ASAP, please! It may be a new,
> MHW>vicious, version of the Ramen worm and I need a specimen. My address
> MHW>there is [EMAIL PROTECTED], or you can send it here to [EMAIL PROTECTED] My
> MHW>PGP key is 0xdf1dd471 if you want to encrypt it. I need to determine
> MHW>the extent of the compromise in this new worm so I can advise people
> MHW>on the action to take when hit! Anyone with a compromised system should
> MHW>check for that directory and contact me directly if they find it!
> MHW>
> MHW> If it is what I think it is, you might not be able to even trust
> MHW>the kernel you are booting with, because of the stealth modules.
>
> --
> Chuck Mead, Owner, MoonGroup.com
> [EMAIL PROTECTED]
> GnuPG Public Key Available: http://wwwkeys.us.pgp.net
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
