--- Harald Hoyer <harald@xxxxxxxxxx> wrote: > Bruce Hyatt wrote: > >>> I carelessly executed "chmod 666 ///" from a terminal as > su > >>> in a user account. <snip> > > Here is a fixed version taken from > /usr/lib/rpm/rpmpopt-4.4.2.2: > > # rpm -qa --qf '[\[ -L %{FILENAMES:shescape} \] || chmod > %7.7{FILEMODES:octal} %{FILENAMES:shescape}\n]' > |grep -v \(none\) | grep '^. -L ' | sed 's/chmod .../chmod /' > | tee /dev/tty | sh I executed this command and it seemed to run without a problem. It didn't fix my problem though. I still can't startx and when I try to log into my account it says "No directory /home/me" but it _IS_ there with rwx permissions for owner. I plan to re-install but after seeing the thread on compromised systems I started to wonder. I ran nmap: PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 443/tcp open https 515/tcp open printer I have (had) a web server running I tried setting up ssh once and I believe it was set up to use keys (SSH2). I ran rpm -Va: .M...... /dev/shm ......G. /dev/tty0 .M....G. /dev/tty2 .M....G. /dev/tty3 .M....G. /dev/tty4 .M....G. /dev/tty5 .M....G. /dev/tty6 ......G. /dev/tty7 S.5....T c /etc/openldap/ldap.conf S.5....T c /etc/pam_smb.conf .......T c /etc/mail/sendmail.cf S.5....T c /var/log/mail/statistics S.5....T c /etc/ntp.conf S.5....T c /etc/hotplug/usb.usermap S.5....T c /etc/krb.conf S.5....T c /etc/yum.conf .......T c /etc/inittab S.5....T c /etc/rc.d/rc.local ..5....T c /etc/sysctl.conf .......T c /var/lib/nfs/etab .......T c /var/lib/nfs/xtab S.5....T c /etc/ntp/ntpservers S.5....T c /etc/php.ini S.5....T c /etc/sysconfig/rhn/up2date S.5....T c /etc/sysconfig/rhn/up2date-uuid .......T /usr/lib/security/classpath.security .......T /usr/lib/security/libgcj.security S.5....T c /etc/alchemist/namespace/printconf/local.adl S.5....T c /etc/sysconfig/system-config-securitylevel .......T /usr/bin/addr2name.awk S.5....T c /etc/httpd/conf/httpd.conf S.5....T c /etc/pam.d/system-auth .......T c /etc/yp.conf S.?..... /usr/lib/libao.so.2.1.2 S.?..... /usr/lib/libgtkspell.so.0.0.0 S.5....T c /etc/sysconfig/pcmcia missing /usr/java/jre1.5.0_12/lib/charsets.pack missing /usr/java/jre1.5.0_12/lib/deploy.pack missing /usr/java/jre1.5.0_12/lib/ext/localedata.pack missing /usr/java/jre1.5.0_12/lib/javaws.pack missing /usr/java/jre1.5.0_12/lib/jsse.pack missing /usr/java/jre1.5.0_12/lib/plugin.pack missing /usr/java/jre1.5.0_12/lib/rt.pack ..5....T c /etc/aliases S.5....T c /etc/printcap S.5....T c /etc/profile S.5....T c /usr/share/a2ps/afm/fonts.map S.5..... c /etc/rndc.key S.5....T c /etc/sysconfig/named S.5....T c /etc/sysconfig/rhn/rhn-applet S.5....T /usr/share/rhn/rhn_applet/rhn_applet.pyc S.5....T /usr/share/rhn/rhn_applet/rhn_applet_animation.pyc S.5....T /usr/share/rhn/rhn_applet/rhn_applet_apt.pyc S.5....T /usr/share/rhn/rhn_applet/rhn_applet_dialogs.pyc S.5....T /usr/share/rhn/rhn_applet/rhn_applet_model.pyc S.5....T /usr/share/rhn/rhn_applet/rhn_applet_protocols.pyc S.5....T /usr/share/rhn/rhn_applet/rhn_applet_rpc.pyc S.5....T /usr/share/rhn/rhn_applet/rhn_applet_rpm.pyc S.5....T /usr/share/rhn/rhn_applet/rhn_applet_version.pyc S.5....T /usr/share/rhn/rhn_applet/rhn_applet_yum.pyc S.5....T /usr/share/rhn/rhn_applet/rhn_sources.pyc S.5....T /usr/share/rhn/rhn_applet/rhn_utils.pyc S.5....T c /etc/ppp/chap-secrets S.5....T c /etc/ppp/pap-secrets .M...... /etc/cups S.5....T c /etc/cups/cupsd.conf S.5....T c /etc/cups/printers.conf S.5....T c /etc/xinetd.d/cups-lpd .M...... /var/spool/cups/tmp ..5....T c /etc/sysconfig/system-config-users .......T /usr/share/system-config-users/groupProperties.pyc .......T /usr/share/system-config-users/groupWindow.pyc .......T /usr/share/system-config-users/mainWindow.pyc .......T /usr/share/system-config-users/messageDialog.pyc missing /usr/share/system-config-users/selinux.pyc missing /usr/share/system-config-users/system-config-users.pyc .......T /usr/share/system-config-users/userGroupCheck.pyc .......T /usr/share/system-config-users/userProperties.pyc .......T /usr/share/system-config-users/userWindow.pyc S.5....T c /etc/mailcap S.5....T c /etc/mime.types S.5....T c /etc/ldap.conf S.5....T /usr/share/system-config-bind/ConfNamed.pyc S.5....T /usr/share/system-config-bind/FwdZone.pyc S.5....T /usr/share/system-config-bind/Zone.pyc S.5....T c /etc/xml/catalog S.5....T c /usr/share/sgml/docbook/xmlcatalog S.5....T c /etc/samba/smb.conf Many lines appear to suggest it's compromised but why would they attack the RHN and other Python compiler scripts. Could this be related to having changed file permissions? I tried to run chkrootkit but I couldn't find it though I think it's installed somewhere. Does it look to YOU like someone's hijacked my system beyond repair with a reinstall? Thanks and sorry for the length (of the email). Bruce __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list