[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: cannot remove files from /tmp



Steve Siegfried wrote:
> As an aside: 99.99% of Linux programs don't mess with file attribute bits.
>              The only time I've seen these attributes modified in 
>              a non-orange-book-secure (i.e.: SELinux) environment
>              was done as part of a script-kiddie break-in/root-hack. 
>              Because of this, I'm gonna ask: are you sure you're not
>              being hacked even as you try and resolve this?  Suggest at a
>              minimum, you pick up a copy of chkrootkit available through
>              http://www.chkrootkit.org and run it.

Firstly, chkrootkit is in extras, although it's more trustworthy if you
run it from "known good" media (e.g. a CD). (It is possible for a
rootkit to modify the kernel so that everything looks good to
user-space).

Secondly, Rolf's problems could also come from a corrupted filesystem. I'd
recommend booting from a rescue CD, *not* mounting any filesystems, and
fscking the filesystem in question.

Lastly, although 99.9% of Linux *programs* don't mess with file
attribute bits, it's a lot more common at the distribution level (and I
seem to remember stuff like Bastille does it too)[1]. But the set of
attributes that have been set doesn't look right for that.

Hope this helps,

James.

[1] For example, setting immutable bits on key system binaries to make
rootkits' lives that much harder.
-- 
E-mail:     james@ | I'll be more enthusiastic about encouraging thinking
aprilcottage.co.uk | outside the box when there's evidence of any thinking
                   | going on inside it.
                   |     -- Terry Pratchett


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]