Re: Machine compromised

From: Gamble (a629wat_private)
Date: Wed Jan 09 2002 - 13:55:53 PST

Next message: Hugo van der Kooij: "Re: Think I've got trouble"

Previous message: Russell Fulton: "Re: Large ICMP Packets with strange payload"
In reply to: Jan van Rensburg: "Machine compromised"
Next in thread: Petrus Repo: "Re: Machine compromised"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi



> But now for the question. I can't seem to do anything to /usr/bin/ssh2d and
> /etc/rc.d/init.d/network. I can't remove, move, changes permissions on it in
> any way. 
> 
> # stat /usr/bin/ssh2d /etc/rc.d/init.d/network
>   File: "/usr/bin/ssh2d"
>   Size: 205288       Filetype: Regular File
>   Mode: (0755/-rwxr-xr-x)         Uid: (    0/    root)  Gid: (    0/
> root)
> Device:  8,0   Inode: 4119      Links: 1
> Access: Wed Jan  9 18:09:19 2002(00000.00:54:46)
> Modify: Sat Jan  5 14:43:32 2002(00004.04:20:33)
> Change: Sat Jan  5 14:43:34 2002(00004.04:20:31)
> 
>   File: "/etc/rc.d/init.d/network"
>   Size: 5140         Filetype: Regular File
>   Mode: (0755/-rwxr-xr-x)         Uid: (    0/    root)  Gid: (    0/
> root)
> Device:  8,0   Inode: 121925    Links: 1
> Access: Wed Jan  9 18:58:44 2002(00000.00:05:21)
> Modify: Sat Jan  5 14:43:32 2002(00004.04:20:33)
> Change: Sat Jan  5 14:43:34 2002(00004.04:20:31)
> 
> But, for example: 
> # mv ssh2d ssh2d_foo
> mv: cannot move `ssh2d' to `ssh2d_foo': Operation not permitted
> 
> As far a I can see lsmod has not been trojaned, and it doesn't look like
> there's any suspicious kernel modules loaded. So why do I get 'Operation not
> permitted' when I try to do anything to the files?

Perhaps the attacker has been playing with the attribute on the file.

On BSD systems chflags can be used to do this, and on SYSVish systems, you
can use chattr.  The following is taken from a box running debian.


bit@julie:/tmp% touch imm
bit@julie:/tmp% sudo chattr +i imm
bit@julie:/tmp% ls -la imm
-rw-rw-r--    1 bit      bit             0 Jan  9 17:35 imm
bit@julie:/tmp% id
uid=1002(bit) gid=1002(bit) groups=1002(bit),25(floppy),29(audio),999(ss),0(root)
bit@julie:/tmp% rm imm
rm: remove write-protected file `imm'? y
rm: cannot unlink `imm': Operation not permitted
bit@julie:/tmp% mv /bin/sh imm
mv: cannot remove `imm': Operation not permitted
bit@julie:/tmp% sudo chattr -i imm
bit@julie:/tmp% rm imm
bit@julie:/tmp% ls -la imm
ls: imm: No such file or directory
bit@julie:/tmp%


-- Jamie


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Hugo van der Kooij: "Re: Think I've got trouble"
Previous message: Russell Fulton: "Re: Large ICMP Packets with strange payload"
In reply to: Jan van Rensburg: "Machine compromised"
Next in thread: Petrus Repo: "Re: Machine compromised"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 14:54:44 PST