[ale] Ale Digest, Vol 57, Issue 7

j.t. holmes linux at jtholmes.com
Fri Aug 26 09:29:30 EDT 2005 

Chuck Huber wrote:

>ale-request at ale.org wrote:
>  
>
>>Send Ale mailing list submissions to
>>	ale at ale.org
>>
>>Today's Topics:
>>
>>   4. Cannot chown unowned files (C. Lee Davis)
>>    
>>
>
>Lee,
>
>By now, I'm sure you've learned that you've been hacked.
>
>First of all, the reason you can't chown them is because the ext2
>attributes have been changed to prevent modification and deletion of
>these files.  This was done with the "chattr" command.  These attributes
>are not displayed by the overlying linux file system structure - they're
>at the ext2 level.  The ones that are typically turned on prevent files
>from being modified or deleted, including the inode that describes the file.
>
>Second,  Look at /etc/rc.d/rc.local.  Don't just more it, look all the
>way at the bottom.  You'll see something like:
>
>    mkdir /usr/local/games/... 2>/dev/null
>    cd /usr/local/games/..././rkid
>    ./setup <password> <port>
>
>Next, look in /usr/local/games/...
>You'll probably see a directory called rk, or rkid.  In that directory
>is the setup script for this root kit.  You'll see that it's replaced
>many programs including ls, ps, pstree, syslogd, login, passwd, sshd,
>and many others.
>
>If you want to keep this system (i.e. not reinstall from scratch),
>removed the ext2 attributes applied to each of these files.  The chattr
>should show that *no* attributes are set.  To find the files that were
>modified:
>    fgrep chattr ./setup
>
>You'll see lines where the attributes are removed, then added.
>Inbetween these is where they've installed their version.
>
>>From there, restore all these files from a known good backup.  You
>should also verify the rpm packages associated with each of these files.
> i.e.:
>	rpm -V passwd openssh
>
>and so on, enumerating the packages to which each comprised file belongs.
>
>Also, you should assume that everyone that has logged into this system
>as unwillingly given their password to the crackers.  Make sure that
>those users change their password to something different (after cleaning
>up, of course).
>
>Make sure you install the latest version of ssh.  4.2 is current.  This
>can be found on openssh.org.
>
>How do I know all this?  First hand experience.
>
>Regards,
>    - Chuck
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://www.ale.org/mailman/listinfo/ale
>
>
>  
>
what is the link to the ale digest?
how can I view it?
I looked all over the home page and google and no luck

reading other messages and between the lines is it the mail feed?

thanks in advance
jt

More information about the Ale mailing list