--- Reçu de VITEUR.BUNTERMA 04 72 96 57 77 08/11/02 10.39 >From the little knowledge I have of hacked machines the most common element that was done was to install a root kit. This piece of nastiness when installed does all sorts of things to help the attacker manipulate the box. I have personally seen another root shell started that was extremely difficult to find. What it actually masqueraded as was another httpd line in a ps aux output - very clever. So a root kit may have been installed onto your box. The attacker may or may not know exactly what was done to take control : only the fact that the root kit is controlling things for him (or her). Try doing a search on root kits in Google, there are also several progs out there that can discover root kits - once you know which one was used you may be able to find the things it changes. Rgs, Matt -------------------------------------------------------------------------- Date: Thu, 7 Nov 2002 14:55:04 -0500 Subject: Re: root unable to delete The immutable bit may have been set. chattr +i <file> or chattr -R +i <dir> (This would recurvisely apply the immutable bit to every file and directory under <dir> The immutable bit doesn't allow files to be edited or deleted even as root. To remove the bit run: chattr -i <file> or chattr -R -i <dir> That may be what the attacker did. At least one possibility. I knew someone who got hacked and that is what the attacker did. On Thu, 7 Nov 2002, Administrator wrote: > Greetings All, > > I had a machine get hacked on RH 7.2 > Whoever did it made some changes to files > and did something to the file that does not > all me to delete the file, when I am logged > in as root and the file is owned by root and > is in the group of root and is set as 755 . > I can't even edit and save the changes to the > file. > > Can someone tell me how they did it ? > > I have removed the machine and rebuilt it but > I would love to know how it was done. > > Thanks all, > Mike > > > > > ------------------------------------------------------------------------ > To unsubscribe email security-discuss-request@linuxsecurity.com > with "unsubscribe" in the subject of the message. > > -- duane 'People demand freedom of speech to make up for the freedom of thought which they avoid.' - Kierkegaard http://www.linuxsecurity.com/feature_stories/feature_story-116.html http://www.linuxsecurity.com/feature_stories/dsniff-monitoring.html -- Updated Version http://www.linuxsecurity.com/feature_stories/feature_story-89.html http://www.linuxsecurity.com/feature_stories/feature_story-88.html ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ---- 08/11/02 10.39 ---- Envoyé à ----------------------------------- -> security-discuss(a)linuxsecurity.com ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
