Hi Eugene, > If you are using vi(m), save with ":w!" command, with exclamation mark. > Vi tries to be "friendly" and stops you if it *thinks* that you cannot > write to the file rather than when attempt to write in fact fails.
I used vi, pico and midnight commander. I even tried to copy, move and to echo into the file. To no avail. User "root" didn't have the permission to modify /etc/shadow on that system. Comparance of /proc/ksyms with a reference system did suggest that a malicious kernel module had been inserted, responsible for that hickup. Apparently the insertion of this module was done before /etc/rc.d/rc.sysinit was completly executed upon server startup and the file had not been modified. At that point I aborted my audit and suggested an OS restore. Now I wish I had at least taken the bandwith-monitoring module apart, as it seems to have been replaced with the malicious LKM. Nothing else would make sense. :o/ -- With best regards, Michael Stauber [EMAIL PROTECTED] Unix/Linux Support Engineer _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
