|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: William York (why317
yahoo.com)Date: Wed Oct 10 2001 - 14:07:25 CDT
>
> after an intrusion in a linux system (2.2) using (I suppose) a
> vulnerability in bind 8.2.2 I've experienced a strange behaviour:
>
I'd say it's time to upgrade to a later version of BIND.
>
> the attacker installed a corrupted version of /bin/login
>
If /bin/login is suspect, what makes you think the rest of the system
is O.K.?
> and when i typed:
>
> # mv /safe/version/path/login /bin/login
>
> I just obtained the message 'Operation not permitted' ... How is
> it possible ? I had to use low level tools directly on the ext2
> filesystem to delete that file ...
>
Um, I'd look first at a corrupted version of 'rm', 'mv' and all other
executables. I would personally recommend that you back up critical
data and baseline the system, making sure that you change all
passwords along the way. Once the system has been compromised once,
especially as 'root', it's very hard and very tedious to repair it.
Good luck,
-Bill
__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]