LinuxSA Mailing list archives

  From: David Newall <davidn@rebel.net.au>
  To  : tim@oztek.net.au
  Date: Sat, 18 Sep 1999 16:50:33 +0930 (CST)

Re: permissions problem

On Sat, 18 Sep 1999, Timothy Aslat wrote:
> I've got a small problem in that Ican't seem to delete/modify/change
> permissions/etc on a file I need to upgrade due to a security problem

As already reported, the "solution" is to "chattr -i".  However be careful:
There is a "cracker's kit" (why can't they be original? *rolls eyes*) going
around which:

 * Installs backdoors
 * Captures network traffic and sends it to the resource thief
 * Modifies ls (and others) to display the expected information on modified
   files, rather than the actual information
 * Modifies ps (and others) to elide information relating to processes
   left running by the resource thief
 * Modifies ifconfig (and others) to display expected information on
   modified network interfaces, rather than the actual information
 * Modifies syslog (don't remember if it elides information or send it to
   the thief)

I recommend you pay careful attention to:

  bin/login
  bin/ls
  bin/netstat
  bin/ps
  sbin/ifconfig
  usr/bin/chfn
  usr/bin/chsh
  usr/bin/chvt
  usr/bin/du
  usr/bin/find
  usr/bin/free
  usr/bin/killall
  usr/bin/passwd
  usr/bin/pstree
  usr/bin/tload
  usr/bin/top
  usr/bin/uptime
  usr/bin/w
  usr/sbin/in.rshd
  usr/sbin/inetd
  usr/sbin/syslogd
  usr/sbin/tcpd

Naturally you cannot trust any of those files.  Safest is to restore them
from your write-protected distribution.

-- 
Check out the LinuxSA web pages at http://www.linuxsa.org.au/
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject