[ale] Forcing RW on boot

Dennis Ruzeski denniruz at gmail.com
Tue Mar 30 15:32:46 EDT 2010


Many compromised systems I've seen with extX filesystems have the RO
set at the fs level- Are you able to run a lsattr on the partition to
see if it's read-only?

(I'm late looking at this- apologies if someone else already mentioned it.)

--Dennis



On Tue, Mar 30, 2010 at 3:08 PM, Chris Fowler
<cfowler at outpostsentinel.com> wrote:
> On Tue, 2010-03-30 at 14:31 -0400, Brian Pitts wrote:
>> On 03/30/2010 12:57 PM, Chris Fowler wrote:
>> > I've dealing with a server that has been hacked and mount is corrupted.
>> > I can not remount root as rw so what I'm trying to do is pass command
>> > line arguments to the kernel via grub to do it.  I've specified 'rw' but
>> > it is still ro and I'm passing init=/bin/sh.  My goal is to upload
>> > pieces off a CentOS 5.4 install image to boot into a serial mode so that
>> > I can reload the box over the Internet.
>>
>> Is there a separate /boot partition that you can write to? If so, drop
>> something like Tiny Core Linux [0] on it, set grub to boot that and
>> start ssh, and repair things from there.
>>
>> Another idea if you can write to /boot would be to use rom-o-matic [1]
>> to generate a gpxe [2] image bootable by grub (lkrn format). You could
>> then use gpxe to boot another distribution over http. Instead of setting
>> up your own, you could just the lkrn and server from boot.kernel.org
>
> I'm pretty much stuck with what I've got.
>
> I think the future systems I'll add the following.
>
> 1.  A reboot command that follows instructions
> 2.  A busybox binary with no symlinks and is statically linked that I
> can use in emergency
> 3.  CentOS rescue CD in grub so I can boot alternative.
> 4.  CentOS load CD in grub so I can reload.
>
> #4 will help me not ask users to burn CDs for me.  I ship CDs with the
> servers, including a reload cd that in under 10 minutes can make the
> server whole again, but people lose them.
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



More information about the Ale mailing list