Re: Machine compromised

From: Gamble (a629wat_private)
Date: Wed Jan 09 2002 - 13:55:53 PST

  • Next message: Hugo van der Kooij: "Re: Think I've got trouble"

    Hi
    
    
    
    > But now for the question. I can't seem to do anything to /usr/bin/ssh2d and
    > /etc/rc.d/init.d/network. I can't remove, move, changes permissions on it in
    > any way. 
    > 
    > # stat /usr/bin/ssh2d /etc/rc.d/init.d/network
    >   File: "/usr/bin/ssh2d"
    >   Size: 205288       Filetype: Regular File
    >   Mode: (0755/-rwxr-xr-x)         Uid: (    0/    root)  Gid: (    0/
    > root)
    > Device:  8,0   Inode: 4119      Links: 1
    > Access: Wed Jan  9 18:09:19 2002(00000.00:54:46)
    > Modify: Sat Jan  5 14:43:32 2002(00004.04:20:33)
    > Change: Sat Jan  5 14:43:34 2002(00004.04:20:31)
    > 
    >   File: "/etc/rc.d/init.d/network"
    >   Size: 5140         Filetype: Regular File
    >   Mode: (0755/-rwxr-xr-x)         Uid: (    0/    root)  Gid: (    0/
    > root)
    > Device:  8,0   Inode: 121925    Links: 1
    > Access: Wed Jan  9 18:58:44 2002(00000.00:05:21)
    > Modify: Sat Jan  5 14:43:32 2002(00004.04:20:33)
    > Change: Sat Jan  5 14:43:34 2002(00004.04:20:31)
    > 
    > But, for example: 
    > # mv ssh2d ssh2d_foo
    > mv: cannot move `ssh2d' to `ssh2d_foo': Operation not permitted
    > 
    > As far a I can see lsmod has not been trojaned, and it doesn't look like
    > there's any suspicious kernel modules loaded. So why do I get 'Operation not
    > permitted' when I try to do anything to the files?
    
    Perhaps the attacker has been playing with the attribute on the file.
    
    On BSD systems chflags can be used to do this, and on SYSVish systems, you
    can use chattr.  The following is taken from a box running debian.
    
    
    bit@julie:/tmp% touch imm
    bit@julie:/tmp% sudo chattr +i imm
    bit@julie:/tmp% ls -la imm
    -rw-rw-r--    1 bit      bit             0 Jan  9 17:35 imm
    bit@julie:/tmp% id
    uid=1002(bit) gid=1002(bit) groups=1002(bit),25(floppy),29(audio),999(ss),0(root)
    bit@julie:/tmp% rm imm
    rm: remove write-protected file `imm'? y
    rm: cannot unlink `imm': Operation not permitted
    bit@julie:/tmp% mv /bin/sh imm
    mv: cannot remove `imm': Operation not permitted
    bit@julie:/tmp% sudo chattr -i imm
    bit@julie:/tmp% rm imm
    bit@julie:/tmp% ls -la imm
    ls: imm: No such file or directory
    bit@julie:/tmp%
    
    
    -- Jamie
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 14:54:44 PST