Security Incidents mailing list archives
Re: Compromised...
From: razor () LDC RO (Alexandru Popa)
Date: Tue, 15 Feb 2000 08:51:50 +0200
On Mon, 14 Feb 2000, Stephen J. Friedl wrote:
While trying to get the system back up enough to assess, I found that I could not replace certain binaries in /bin with fresh-from-CD versions: a few limited files got "operation not permitted" when I tried to rename or remove them. I was running Red Hat Linux 5.2: it is conceivable that he could have installed some kind of kernel module to have helped keep him around? I still have the old drive freeze-dried and available.
Linux has file attributes, besides permissions. you could do a lsattr on the files. if they have the "a" (append-only) or "i" (immutable) flag, then you could replace them by removing the flag first, i.e.: "chattr -ia filename" ------------+------------------------------------------ Alex Popa, |There never was a good war or a bad peace razor () ldc ro| -- B. Franklin ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here."
Current thread:
- Re: Compromised..., (continued)
- Re: Compromised... Jon Lewis (Feb 07)
- Re: Compromised... Joshua Krage (Feb 08)
- Re: Compromised... Rich Burroughs (Feb 09)
- Re: Compromised... Lane Davis (Feb 07)
- Re: Compromised... Marianovich Felix (Feb 08)
- Re: Compromised... Sebastian (Feb 08)
- 195.0.0.0/8 Scan Source amused () POBOX COM (Feb 10)
- hacked Anton (Feb 14)
- Re: Compromised... Stephen J. Friedl (Feb 14)
- Re: Compromised... Derek Vadala (Feb 14)
- Re: Compromised... Alexandru Popa (Feb 14)