Hi > But now for the question. I can't seem to do anything to /usr/bin/ssh2d and > /etc/rc.d/init.d/network. I can't remove, move, changes permissions on it in > any way. > > # stat /usr/bin/ssh2d /etc/rc.d/init.d/network > File: "/usr/bin/ssh2d" > Size: 205288 Filetype: Regular File > Mode: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ > root) > Device: 8,0 Inode: 4119 Links: 1 > Access: Wed Jan 9 18:09:19 2002(00000.00:54:46) > Modify: Sat Jan 5 14:43:32 2002(00004.04:20:33) > Change: Sat Jan 5 14:43:34 2002(00004.04:20:31) > > File: "/etc/rc.d/init.d/network" > Size: 5140 Filetype: Regular File > Mode: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ > root) > Device: 8,0 Inode: 121925 Links: 1 > Access: Wed Jan 9 18:58:44 2002(00000.00:05:21) > Modify: Sat Jan 5 14:43:32 2002(00004.04:20:33) > Change: Sat Jan 5 14:43:34 2002(00004.04:20:31) > > But, for example: > # mv ssh2d ssh2d_foo > mv: cannot move `ssh2d' to `ssh2d_foo': Operation not permitted > > As far a I can see lsmod has not been trojaned, and it doesn't look like > there's any suspicious kernel modules loaded. So why do I get 'Operation not > permitted' when I try to do anything to the files? Perhaps the attacker has been playing with the attribute on the file. On BSD systems chflags can be used to do this, and on SYSVish systems, you can use chattr. The following is taken from a box running debian. bit@julie:/tmp% touch imm bit@julie:/tmp% sudo chattr +i imm bit@julie:/tmp% ls -la imm -rw-rw-r-- 1 bit bit 0 Jan 9 17:35 imm bit@julie:/tmp% id uid=1002(bit) gid=1002(bit) groups=1002(bit),25(floppy),29(audio),999(ss),0(root) bit@julie:/tmp% rm imm rm: remove write-protected file `imm'? y rm: cannot unlink `imm': Operation not permitted bit@julie:/tmp% mv /bin/sh imm mv: cannot remove `imm': Operation not permitted bit@julie:/tmp% sudo chattr -i imm bit@julie:/tmp% rm imm bit@julie:/tmp% ls -la imm ls: imm: No such file or directory bit@julie:/tmp% -- Jamie ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 14:54:44 PST