On Thu, Jan 25, 2001 at 04:48:58AM -0330, Mike Pelley wrote:
> Folks,
> I'm cleaning up a system that was hacked (curses on wu-ftp!). There are a
> number of files that cannot be reverted to their non-hacked form,
> specifically, /bin/ps and /bin/netsat. If I try to delete them, for example
> /bin/ps, I get this error:
> rm: cannot unlink `ps': Operation not permitted
> I've taken a look at status and get:
> File: "/bin/ps"
> Size: 33281 Filetype: Regular File
> Mode: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/
> root)
> Device: 48,1 Inode: 108742 Links: 1
> Access: Thu Jan 25 03:38:03 2001(00000.01:02:45)
> Modify: Mon Jan 15 13:12:44 2001(00009.15:28:04)
> Change: Mon Jan 22 19:47:13 2001(00002.08:53:35)
Check it with lsattr and see what you get.
> So, I guess this means that the file has a hard link to some other file.
> Then I did a search for that inode:
> find / -inum 108742 -print
> but I don't find any other files that are linked to it!
No. One link into the file system.
> There has to be some way to delete these files. What am I missing?
Potentially several things. The file "attributes" (lsattr/chattr)
may be set to something like RO or Append-Only. The kernel may be modify
with a stealth module. You've definitely got a root kit on that system
and should seriously consider reinstalling. This time, update the system
and keep it up to date. That bug was fixed months ago!
One other thing, real important to me... Check to see if you have
a directory /usr/src/.puta on that system. If you do, tar it up and mail
it to me at Internet Security Systems, ASAP, please! It may be a new,
vicious, version of the Ramen worm and I need a specimen. My address
there is [EMAIL PROTECTED], or you can send it here to [EMAIL PROTECTED] My
PGP key is 0xdf1dd471 if you want to encrypt it. I need to determine
the extent of the compromise in this new worm so I can advise people
on the action to take when hit! Anyone with a compromised system should
check for that directory and contact me directly if they find it!
If it is what I think it is, you might not be able to even trust
the kernel you are booting with, because of the stealth modules.
> HELP!
> Thanks in advance.
>
> Cheers,
> Mike
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
