On 18/03/05 19:33 +0530, Ravi Kumar wrote: > On Thu, 17 Mar 2005 12:55:18 +0530, Devdas Bhagat > <[EMAIL PROTECTED]> wrote: > > On 17/03/05 12:23 +0530, Ravi Kumar wrote: > > > Hello > > > I would like to know how to reinstall a package containing the > > > utility 'chattr' when the 'chattr' file has been over written and > > > also the immutable bit of the file is set. > > > > How did that happen? > > > > Devdas Bhagat > > > > I am asking a question posed to me by a friend of mine. He is an RHCE > :) . He gave me the following scenario. > > A person hacked as root into a machine running linux. He first copied > the chattr utility to another location. Then he overwrote the original > file (chattr) by doing : > > # cp /bin/date /usr/bin/chattr > > Then he made some changes to the /etc/shadow and /etc/passwd files. > Now using the previously copied chattr file, he made the following > files immutable: > passwd, shadow, passwd-, shadow- and lastly the overwriten chattr file > in the original location. > > lastly before he logged out, he deleted the copied chattr file. > > Now if you try to unset the immutable bit, it can't be done because > chattr is corrupted. Also you cannot reinstall it because the corrupt > chattr file had been set as immutable. > > So what is the way around it?
If the host has been cracked, format, reinstall, patch, harden, restore data from backup and then bring the host online. Don't bother trying to fix chattr. That is fixing the wrong element. Devdas Bhagat ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ linux-india-help mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/linux-india-help
