Re: Re: root is unable to change file permissions!
Incoming from Andreas Hatz: Thanks for the tip re the chkrootkit. There are a couple of warnings: Searching for t0rn's v8 defaults... Possible t0rn v8 (or variation) rootkit installed Checking `lkm'... You have 3 process hidden for ps command Warning: Possible LKM Trojan installed This is great info, but now I need to find a way to get rid of them. Actually, you need a resource to explain what it found. See the chkrootkit mailing list archives at: http://marc.theaimsgroup.com/?l=chkrootkit-users -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Please don't Cc: me. - - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root is unable to change file permissions!
On Fri, Jun 03, 2005 at 08:04:17PM +1200, Andreas Hatz wrote: We have an interesting phenomenon occuring on one of our servers. We have noticed that two files in the /bin directory have had their executable permissions removed and we are unable to chmod the files as root. Check the output of mount; is the filesystem read-only? Check lsattr for append and immutable flags. Chech getfacl, if your filesystem supports ACLs. If none of the obvious things turn up, I'd suspect a compromise. -- Re-Interpreting Historic Miracles with SED #141: %s/water/wine/g -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root is unable to change file permissions!
On Fri, 2005-06-03 at 20:04 +1200, Andreas Hatz wrote: Hello Debain Users, We have an interesting phenomenon occuring on one of our servers. We have noticed that two files in the /bin directory have had their executable permissions removed and we are unable to chmod the files as root. current file permissions: -rw-r--r-- 1 root root35464 May 31 13:02 /bin/login -rw-r--r-- 1 root root54152 Aug 29 2001 /bin/netstat when trying to change permissions: ns:~# whoami root ns:~# id uid=0(root) gid=0(root) groups=0(root) ns:~# chmod 755 /bin/login chmod: changing permissions of `/bin/login': Operation not permitted We have tried doing the same thing from the rescue disc login prompt. same outcome. This seems to be a serious security issue. Root user seems to have lost control of some files. Other files can be changed using the above commands. Any ideas? 1) do not panic 2) what are the permissions of /bin 3) keep calm it's only an operating system (*) M (*) prob just a UK joke... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root is unable to change file permissions!
Try to run a chkrootkit, to see if some niaries are replaced. Also, how about the mounts, is /bin probably a mount, or is /bin/login a symlink to a ro filesystem? Jurgen Hello Debain Users, We have an interesting phenomenon occuring on one of our servers. We have noticed that two files in the /bin directory have had their executable permissions removed and we are unable to chmod the files as root. current file permissions: -rw-r--r-- 1 root root35464 May 31 13:02 /bin/login -rw-r--r-- 1 root root54152 Aug 29 2001 /bin/netstat when trying to change permissions: ns:~# whoami root ns:~# id uid=0(root) gid=0(root) groups=0(root) ns:~# chmod 755 /bin/login chmod: changing permissions of `/bin/login': Operation not permitted We have tried doing the same thing from the rescue disc login prompt. same outcome. This seems to be a serious security issue. Root user seems to have lost control of some files. Other files can be changed using the above commands. Any ideas? Best regards, Andreas Hatz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: root is unable to change file permissions!
Using lsattr, see is the immutable flag has been set. Normally, no flags should be set: [EMAIL PROTECTED]:~ lsattr *.txt - 34sp-userguide.txt If the immutable flag has been set, you can unset it with chattr -i filename See man lsattr and man chattr. While this will (hopefully) solve your immediate problem, the larger problem is that your system was possibly compromised, and the cracker has been messing with your flags. Which means you need to do major surgery on it (reinstall, tighten firewall rules, etc). good luck, RS Friday 03 June 2005 16:04, Andreas Hatz wrote: Hello Debain Users, We have an interesting phenomenon occuring on one of our servers. We have noticed that two files in the /bin directory have had their executable permissions removed and we are unable to chmod the files as root. current file permissions: -rw-r--r-- 1 root root35464 May 31 13:02 /bin/login -rw-r--r-- 1 root root54152 Aug 29 2001 /bin/netstat when trying to change permissions: ns:~# whoami root ns:~# id uid=0(root) gid=0(root) groups=0(root) ns:~# chmod 755 /bin/login chmod: changing permissions of `/bin/login': Operation not permitted We have tried doing the same thing from the rescue disc login prompt. same outcome. This seems to be a serious security issue. Root user seems to have lost control of some files. Other files can be changed using the above commands. Any ideas? Best regards, Andreas Hatz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re: root is unable to change file permissions!
Hello Robert, when running lsattr I get mostly -- with a few exceptions: ns:/bin# lsattr suSiadAc-- /bin/ls suSiadAc-- /bin/login suSiadAc-- /bin/netstat suSiadAc-- /bin/ps also, ns:/bin# lsattr /sbin suSiadAc-- /sbin/ifconfig Doesn't look too good for security. I have done a chattr -ASacdistu on all relevant directories, but I aggree that this is a short term fix only. Thanks all who gave advice on this one. Learnt something new after almost 10 years of linux sysadmin. Cheers, Andreas
Re: Re: root is unable to change file permissions!
Hello Jurgen, Thanks for the tip re the chkrootkit. There are a couple of warnings: Searching for t0rn's v8 defaults... Possible t0rn v8 (or variation) rootkit installedChecking `lkm'... You have 3 process hidden for ps commandWarning: Possible LKM Trojan installed This is great info, but now I need to find a way to get rid of them. Cheers, Andreas
