[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] file attributes



have you run the tool rkhunter? It can identify many Linux root kits. That helps a lot in setting the next steps. I expect the rm command is compromised on the machine itself. Very strange the live CD's failed to be useful. They are self contained and should let you mount and attrib and rm all you like.

Note: if you turn off ssh, you can't remote back in. The trick is to keep ssh updated (and any parts it depends on), deny root ssh connection, requires ssh keys (very, very secure) and block password access.

On Mon, Mar 19, 2012 at 6:29 PM, Barry R Cisna <brcisna eazylivin net> wrote:
Hello All,

Thanks to all that made suggestions on how to clear out the two main
rootkit directories.
I did try using a couple live cd's ,both Centos 6 and a deft CD( which I
have found usually mounts LVM disks R/W easily). Unfortunately I got the
same 'permission denied" when trying to delete the files using this
method?

I also tried the method of deleting the file by the inode number.
Strangely enough,,I get no errors,and also I never get asked to confirm
to actually delete the file. The command completes,,but the file(s) are
not deleted. Nothing shows up in system log either FYI.This method did
not work either.

One thing I did find by accident when I try and create a blank file
regardless of method,I always get error" bad file descriptor" when
actually saving the blank file into either one of the two rootkit dirs.
I am not sure what this represents. Almost as though these dirs are
mounted in some fashion although,I see nothing in mtab or fstab?
This is very strange to say the least.

It is almost as though the immutable bit is set on these files,and
dirs,,when in fact this is not the case.
Any forensic experts here?....:)
Guess I'll have to learn to make SURE I shut off ssh after remoting into
the machine in the future.

Take Care,
Barry




_______________________________________________
K12OSN mailing list
K12OSN redhat com
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>



--
--
James P. Kinney III

As long as the general population is passive, apathetic, diverted to consumerism or hatred of the vulnerable, then the powerful can do as they please, and those who survive will be left to contemplate the outcome.
- 2011 Noam Chomsky

http://heretothereideas.blogspot.com/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]