-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 22 January 2002 13:37, Valdis.Kletnieksat_private wrote: [snip] > > I'm wondering if you managed to get a bad copy of the disk image, and > there's a busticated inode belonging to some file in lib/. Nope, the md5sums checked out OK. I also downloaded a second copy to verify... Of course, if the HoneyNet folks gathered a bad image.... ;) > > To test: > > 1) cd lib/ > 2) /bin/ls (you say this works) > 3) (bash/ksh) for i in `/bin/ls`; do echo $i; /bin/ls -l $i; done Every file in /home/ftp/lib gives a segfault. But, from /home/ftp/ I can `ls -l lib` all I want... > I'm wondering if the $CRACKED_BOX had a kernel module loaded that used There was nothing in the HoneyNet Forensic Challenge analysis to substantiate this. > a previously reserved bit in the inode as a "hide me please" flag, and > a modified lsattr/chattr command to set the bit, and 'ls' and 'stat' This is interesting: $CRACKED_BOX/home/ftp/lib # lsattr * - -------- ld-2.1.3.so - -------- ld-linux.so.2 - -------- libc-2.1.3.so - -------- libc.so.6 - -------- libnsl-2.1.3.so - -------- libnsl.so.1 - -------- libnss_files-2.1.3.so - -------- libnss_files.so.2 Yet, debugfs shows proper permissions: debugfs: ls -la 123137 40755 0 0 4096 04-Nov-2000 18:56 . 30785 40755 0 0 4096 04-Nov-2000 18:56 .. 123138 100755 0 0 77216 04-Feb-2000 09:07 ld-2.1.3.so 123139 120777 0 0 11 04-Nov-2000 18:56 ld-linux.so.2 123140 100755 0 0 985256 04-Feb-2000 09:07 libc-2.1.3.so 123141 120777 0 0 13 04-Nov-2000 18:56 libc.so.6 123142 100755 0 0 75888 04-Feb-2000 09:07 libnsl-2.1.3.so 123143 120777 0 0 15 04-Nov-2000 18:56 libnsl.so.1 123144 100755 0 0 33036 04-Feb-2000 09:07 libnss_files-2.1.3.so 123145 120777 0 0 21 04-Nov-2000 18:56 libnss_files.so.2 And while stat fails just before spewing the mode info, $CRACKED_BOX/home/ftp/lib # stat ld-2.1.3.so File: "ld-2.1.3.so" Size: 77216 Allocated Blocks: 160 Filetype: Regular File Segmentation fault it works from the parent: $CRACKED_BOX/home/ftp/lib # cd .. $CRACKED_BOX/home/ftp/ # stat lib/ld-2.1.3.so File: "lib/ld-2.1.3.so" Size: 77216 Allocated Blocks: 160 Filetype: Regular File Mode: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Device: 7,3 Inode: 123138 Links: 1 Access: Fri Feb 4 09:07:00 2000 Modify: Fri Feb 4 09:07:00 2000 Change: Sat Nov 4 18:56:55 2000 Another clue- df -[m|k] will also segfault. Does anyone still have their HFC images lying around to try and duplicate this? This has got to be related to the chroot jail, but I'm still baffled. It might be time to look at the source for ls, stat and lsattr... - -- "Open source software - with no walls and fences, who needs Windows and Gates?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8Thj4ER3MuHUncBsRAntWAJ0XggjehwuRpgYdPUpHz+sBVXD0fACeIqyO Qcm4BO8UBpfcmDVfHSpPpqI= =1iJr -----END PGP SIGNATURE----- ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 22 2002 - 19:52:20 PST