Ravi Kumar wrote: > > I am asking a question posed to me by a friend of mine. He is��an�RHCE > :) . He gave me the following scenario. > > A person hacked as root into a machine running linux. He first copied > the chattr utility to another location. Then he overwrote the original > file (chattr)��by�doing�: > > # cp /bin/date /usr/bin/chattr > > Then he made some changes to the /etc/shadow and /etc/passwd files. > Now using the previously copied chattr file, he made the following > files immutable: > passwd, shadow, passwd-, shadow- and lastly the overwriten chattr file > in the original location. > > lastly before he logged out, he deleted the copied chattr file. > > Now if you try to unset the immutable bit, it can't be done because > chattr is corrupted. Also you cannot reinstall it because the corrupt > chattr file had been set as immutable. > > So what is the way around it? > > I know how to do it if it is running redhat. rpm has a option to > install the package��in�another�location.�But�if�it�is�any�other > distro like debian or slackware, how to come out of the situation. > That is my question.
If it's just for a fun/test, copy an unmodified chattr binary from some other machine, copy it to some directory and do the ./chattr fireup. rrs -- Ritesh Raj Sarraf RESEARCHUT -- http://www.researchut.com Gnupg Key ID: 04F130BC "Stealing logic from one person is plagiarism, stealing from many is research". ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ linux-india-help mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/linux-india-help
