I've been digging and the box does not appear to be hacked. I keep a md5 checksum of the initial install binaries (rpm are very useful for this) and the current binaries check out OK. This one file was in the webmin libexec collection (webmin for internal use only for easy user access to mysql and website updates). I need to check drive health next.<br>
<br><div class="gmail_quote">On Fri, Apr 11, 2008 at 12:37 AM, Bob Toxen <<a href="mailto:transam@verysecurelinux.com">transam@verysecurelinux.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
As Chris hinted at, assuming that the file system is mounted R/W and<br>
not R/O, it is likely that a hacker has set the immutable bit. Assuming<br>
the file is named /foo/bar, first do:<br>
<br>
lsattr /foo/bar<br>
<br>
If you see anything other than dashes before the name, especially,<br>
<br>
----i--------- /foo/bar<br>
<br>
Then the immutable bit has been set. This bit prevents any of the<br>
normal operations that alter the file or its i-node data from happening,<br>
even for root.<br>
<br>
Issue the command:<br>
<br>
chattr -i /foo/bar<br>
<br>
and<br>
<br>
lsattr /foo/bar<br>
<br>
and expect to see<br>
<br>
-------------- /foo/bar<br>
<br>
At that point you should be able to do a chmod on the file. Assuming it<br>
wasn't another SysAdmin playing a joke on you, you have been hacked so<br>
the real work begins. Don't just reboot or throw away current data and<br>
just restore from a backup.<br>
<br>
Proper recovery is covered starting at page 667 of Real World Linux<br>
Security, Second Edition.<br>
<br>
Bob Toxen<br>
<a href="mailto:bob@verysecurelinux.com">bob@verysecurelinux.com</a> [Please use for email to me]<br>
<a href="http://www.verysecurelinux.com" target="_blank">http://www.verysecurelinux.com</a> [Network&Linux security consulting]<br>
<a href="http://www.realworldlinuxsecurity.com" target="_blank">http://www.realworldlinuxsecurity.com</a> [My book:"Real World Linux Security 2/e"]<br>
Quality spam and virus filters.<br>
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.<br>
<br>
"Microsoft: Unsafe at any clock speed!"<br>
<font color="#888888"> -- Bob Toxen 10/03/2002<br>
</font><div><div></div><div class="Wj3C7c"><br>
On Thu, Apr 10, 2008 at 05:18:18PM +0000, <a href="mailto:cdcoleman@bellsouth.net">cdcoleman@bellsouth.net</a> wrote:<br>
> -------------- Original message from "Jim Kinney" <<a href="mailto:jim.kinney@gmail.com">jim.kinney@gmail.com</a>>: --------------<br>
<br>
> I have a file that appears to be chmod'ed 000 , yes no read, write or execute for any one. As root, I can't chmod it. I am puzzled and a tad concerned.<br>
<br>
> Thoughts?<br>
> --<br>
> --<br>
> James P. Kinney III<br>
> Try lsattr file_name to see if the immutable(i) attribute was added. If so, try as root, chattr -i file_name to remove it.<br>
<br>
> root@test15 ~]# chattr +i cd_load.log<br>
> [root@test15 ~]# lsattr cd_load.log<br>
> ----i-------- cd_load.log<br>
> [root@test15 ~]# chmod 755 cd_load.log<br>
> chmod: changing permissions of `cd_load.log': Operation not permitted<br>
<br>
> Chris Coleman<br>
</div></div><div><div></div><div class="Wj3C7c">_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III <br>