|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Simon Byrnand (simon
igrin.co.nz)Date: Wed Oct 10 2001 - 17:53:49 CDT
At 12:02 PM 10/10/01 +0200, Thanas wrote:
>Hi,
>
>after an intrusion in a linux system (2.2) using (I suppose) a
>vulnerability in bind 8.2.2 I've experienced a strange behaviour:
>
>the attacker installed a corrupted version of /bin/login and when
>i typed:
>
># mv /safe/version/path/login /bin/login
>
>I just obtained the message 'Operation not permitted' ... How is
>it possible ? I had to use low level tools directly on the ext2
>filesystem to delete that file ...
As other have mentioned, chattr will have been used to make the file
immutable.
However nobody seems to have warned you that if you found one trojan
executable that was immutable, it is almost certain there are OTHERS.
You should check your system *VERY* carefully for signs of tampering,
because more than likely, your system is still trojaned. Two ways that will
help is:
1) Use the lsattr command to recursively check the ext2 attributes of all
files looking for other files that are immutable, especially in bin
directorys, eg:
cd /
lsattr -aR bin boot etc home lib misc mnt opt root sbin tmp usr var
Two directories you should NOT check are /dev and /proc. Especially /dev
because if you have the kernel module auto-loader compiled in, lsattr
probing each device node will cause the drivers to attempt to load which
*may* crash your server. You want to check all other directories.
On a standard Linux install (at least with Redhat in my experience) *NO*
files should have any ext2 attributes such as immutable set, unless you
yourself have done it.
2) If your system is RPM based, you can use the MD5 verification feature of
rpm to verify the integrity of critical system binaries that are likely to
be altered, including - login, in.telnetd, ps, ls, top.
For example, to find what package owns /bin/login
rpm -qf /bin/login
returns util-linux-2.10f-7 in my case.
You can then get rpm to verify files that were installed from that package:
rpm -V util-linux-2.10f-7
which will show lines like:
S.5....T c /etc/pam.d/login
For each file that is change. Of course it is normal for configuration
files or possibly scripts to be changed since installation, but never the
binary. (Unless you installed a non-rpm version of the same program over
the top of it)
Both of these will catch a lot of things out, but keep in mind that you can
*NEVER* be 100% sure that your machine is free of being trojaned.
Regards,
Simon
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]