[ale] file perms

Jim Kinney jim.kinney at gmail.com
Sat Apr 12 09:34:16 EDT 2008


I've been digging and the box does not appear to be hacked. I keep a md5
checksum of the initial install binaries (rpm are very useful for this) and
the current binaries check out OK. This one file was in the webmin libexec
collection (webmin for internal use only for easy user access to mysql and
website updates). I need to check drive health next.

On Fri, Apr 11, 2008 at 12:37 AM, Bob Toxen <transam at verysecurelinux.com>
wrote:

> As Chris hinted at, assuming that the file system is mounted R/W and
> not R/O, it is likely that a hacker has set the immutable bit.  Assuming
> the file is named /foo/bar, first do:
>
>     lsattr /foo/bar
>
> If you see anything other than dashes before the name, especially,
>
>     ----i--------- /foo/bar
>
> Then the immutable bit has been set.  This bit prevents any of the
> normal operations that alter the file or its i-node data from happening,
> even for root.
>
> Issue the command:
>
>     chattr -i /foo/bar
>
> and
>
>     lsattr /foo/bar
>
> and expect to see
>
>     -------------- /foo/bar
>
> At that point you should be able to do a chmod on the file.  Assuming it
> wasn't another SysAdmin playing a joke on you, you have been hacked so
> the real work begins.  Don't just reboot or throw away current data and
> just restore from a backup.
>
> Proper recovery is covered starting at page 667 of Real World Linux
> Security, Second Edition.
>
> Bob Toxen
> bob at verysecurelinux.com               [Please use for email to me]
> http://www.verysecurelinux.com        [Network&Linux security consulting]
> http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security
> 2/e"]
> Quality spam and virus filters.
> Quality Linux & UNIX security and SysAdmin & software consulting since
> 1990.
>
> "Microsoft: Unsafe at any clock speed!"
>    -- Bob Toxen 10/03/2002
>
> On Thu, Apr 10, 2008 at 05:18:18PM +0000, cdcoleman at bellsouth.net wrote:
> >   -------------- Original message from "Jim Kinney" <
> jim.kinney at gmail.com>: --------------
>
> > I have a file that appears to be chmod'ed 000 , yes no read, write or
> execute for any one. As root, I can't chmod it. I am puzzled and a tad
> concerned.
>
> > Thoughts?
> > --
> > --
> > James P. Kinney III
> >   Try lsattr file_name to see if the immutable(i) attribute was added.
> If so, try as root, chattr -i file_name to remove it.
>
> > root at test15 ~]# chattr +i cd_load.log
> > [root at test15 ~]# lsattr cd_load.log
> > ----i-------- cd_load.log
> > [root at test15 ~]# chmod 755 cd_load.log
> > chmod: changing permissions of `cd_load.log': Operation not permitted
>
> > Chris Coleman
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>



-- 
-- 
James P. Kinney III
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20080412/c0fc11b0/attachment.html 


More information about the Ale mailing list