Martin Lorenz:
Thanks to all, who helped
it definitely was a rootkit.
came in by this exim bug:
Just out of curiosity: do you know when the attacker succeeded? The DSA
was published Dec 10th. Did you have a (theoretical) chance to install
the patch beofre the attack?
J.
--
I am on the
On 01/06/2011 09:48 AM, Jochen Schulz wrote:
Martin Lorenz:
Thanks to all, who helped
it definitely was a rootkit.
came in by this exim bug:
Just out of curiosity: do you know when the attacker succeeded? The DSA
was published Dec 10th. Did you have a (theoretical) chance to install
the patch
Doug wrote:
Jochen Schulz wrote:
Martin Lorenz:
Thanks to all, who helped
it definitely was a rootkit. came in by this exim bug:
Just out of curiosity: do you know when the attacker succeeded? The DSA
was published Dec 10th. Did you have a (theoretical) chance to install
the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Thanks to all, who helped
it definitely was a rootkit.
came in by this exim bug:
- -
http://www.google.com/search?ie=UTF-8oe=UTF-8sourceid=navclientgfns=1q=exim4+root
- - http://www.exim.org/lurker/message/20101210.164935.385e04d0.en.html
- -
Martin Lorenz mar...@lorenz.priv.at wrote:
i recently noticed some errors at my mail-server and so I tried to drill
it down with my limited abilities.
what I found is really strange:
when copying a file (no matter which) the copy gets zero permissions.
Silly question time, because I've
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
it gets weirder ...
m...@x:/tmp$ ( env -i; LANG=C lsattr; )
- --- ./test
- --- ./ssh-IxYCtP5517
- --- ./strace1
lsattr: Permission denied While reading flags on ./test.bak
- ---
On Thu, Dec 30, 2010 at 08:26:31PM +0100, Martin Lorenz wrote:
snip
stat64(testfile2, 0xbfffd7b0) = -1 ENOENT (No such file or
directory)
stat64(testfile1, {st_dev=makedev(144, 109), st_ino=37590572,
st_mode=S_IFREG|S_ISUID|0450, st_nlink=1, st_uid=0, st_gid=0,
st_blksize=4096,
Martin Lorenz mar...@lorenz.priv.at writes:
r...@vs152058:~# (
env -i
date -R testfile1
ls -ldog testfile1
echo
rm -f testfile2
echo
cp testfile1 testfile2
ls -ldog testfile2
)
- -r-Sr-x--- 1 32 30. Dez 20:22 testfile1
This is really wierd. Your testfile1 should not have been created
On 12/29/2010 05:56 PM, Martin Lorenz wrote:
Dear Gurus,
i recently noticed some errors at my mail-server and so I tried to drill
it down with my limited abilities.
what I found is really strange:
-deleted-
r...@x:/tmp# ls -altr
insgesamt 20
drwxrwxrwt 2 root root 4096 29. Dez
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Am 30.12.2010 04:40, schrieb Mike Bird:
I see Bob Proulx offered some great suggestions. Here are few thoughts:
Are you running anything like selinux?
Could a clumsy rootkit have gotten into your system?
this thought already hit me too :-(
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dear Bob,
thank you for the hints
I tried out, what you suggested.
here are the results:
Am 30.12.2010 04:04, schrieb Bob Proulx:
type cp
Martin Lorenz wrote:
what I found is really strange:
when copying a file (no matter which) the copy gets
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I am afraid (just noticed this as you mention it) this extra dash is an
artefact added by my mail client (thunderbird) to escabe the double-dash
at the beginning of a line.
Am 30.12.2010 18:17, schrieb Bob McGowan:
On 12/29/2010 05:56 PM, Martin
Martin Lorenz wrote:
m...@vs152058:~$ type cp
cp is aliased to `cp -i'
as root:
r...@vs152058:~# type cp
cp is /bin/cp
It looks okay. I was hoping that it pointed to a different command
that could be traced to a problem. But apparently not.
Try running in a clean environment to see
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dear Gurus,
i recently noticed some errors at my mail-server and so I tried to drill
it down with my limited abilities.
what I found is really strange:
when copying a file (no matter which) the copy gets zero permissions.
looks like that:
On Wed December 29 2010 17:56:16 Martin Lorenz wrote:
when copying a file (no matter which) the copy gets zero permissions.
What's the result of running the umask command?
Normally it's something like 0022. You may have 0777.
--Mike Bird
--
To UNSUBSCRIBE, email to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
that was my first guess ...
$ umask
0022
should have mentioned
sorry
Am 30.12.2010 03:41, schrieb Mike Bird:
On Wed December 29 2010 17:56:16 Martin Lorenz wrote:
when copying a file (no matter which) the copy gets zero permissions.
What's
Martin Lorenz wrote:
what I found is really strange:
when copying a file (no matter which) the copy gets zero permissions.
That is very strange. And I feel must be in your personal
environment. If it were in the system then I think your system would
have massive failures and would exhibit
I see Bob Proulx offered some great suggestions. Here are few thoughts:
Are you running anything like selinux?
Could a clumsy rootkit have gotten into your system?
What are the permissions of files created with touch, mkdir, vi?
I'm not sure if anything bad in the filesystem could do this but
18 matches
Mail list logo
