[K12OSN] file attributes
Jim Kinney
jim.kinney at gmail.com
Mon Mar 19 22:46:20 UTC 2012
have you run the tool rkhunter? It can identify many Linux root kits. That
helps a lot in setting the next steps. I expect the rm command is
compromised on the machine itself. Very strange the live CD's failed to be
useful. They are self contained and should let you mount and attrib and rm
all you like.
Note: if you turn off ssh, you can't remote back in. The trick is to keep
ssh updated (and any parts it depends on), deny root ssh connection,
requires ssh keys (very, very secure) and block password access.
On Mon, Mar 19, 2012 at 6:29 PM, Barry R Cisna <brcisna at eazylivin.net>wrote:
> Hello All,
>
> Thanks to all that made suggestions on how to clear out the two main
> rootkit directories.
> I did try using a couple live cd's ,both Centos 6 and a deft CD( which I
> have found usually mounts LVM disks R/W easily). Unfortunately I got the
> same 'permission denied" when trying to delete the files using this
> method?
>
> I also tried the method of deleting the file by the inode number.
> Strangely enough,,I get no errors,and also I never get asked to confirm
> to actually delete the file. The command completes,,but the file(s) are
> not deleted. Nothing shows up in system log either FYI.This method did
> not work either.
>
> One thing I did find by accident when I try and create a blank file
> regardless of method,I always get error" bad file descriptor" when
> actually saving the blank file into either one of the two rootkit dirs.
> I am not sure what this represents. Almost as though these dirs are
> mounted in some fashion although,I see nothing in mtab or fstab?
> This is very strange to say the least.
>
> It is almost as though the immutable bit is set on these files,and
> dirs,,when in fact this is not the case.
> Any forensic experts here?....:)
> Guess I'll have to learn to make SURE I shut off ssh after remoting into
> the machine in the future.
>
> Take Care,
> Barry
>
>
>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
--
--
James P. Kinney III
As long as the general population is passive, apathetic, diverted to
consumerism or hatred of the vulnerable, then the powerful can do as they
please, and those who survive will be left to contemplate the outcome.
- *2011 Noam Chomsky
http://heretothereideas.blogspot.com/
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/k12osn/attachments/20120319/72b371db/attachment.htm>
More information about the K12OSN
mailing list