hallo liste, wie kann man eine root-datei löschen, wenn sie nur lese und ausführen für root hat - also r-x------ . vielen dank, r.frechen
rutger schrieb:
hallo liste,
wie kann man eine root-datei löschen, wenn sie nur lese und ausführen für root hat - also r-x------ . vielen dank, r.frechen
Hi Schreiber, Mit rm wenn Du schreibrechte für das Verzeichnis hast, in dem die Datei liegt. Oder habe ich die Frage absolut falsch verstanden?! Verstehe nämlich den Zusammenhang nicht... ? Grüße, Stefan Nowak
* Stefan Nowak;
rutger schrieb:
hallo liste,
wie kann man eine root-datei löschen, wenn sie nur lese und ausführen für root hat - also r-x------ . vielen dank, r.frechen
Hi Schreiber,
Mit rm wenn Du schreibrechte für das Verzeichnis hast, in dem die Datei liegt. Oder habe ich die Frage absolut falsch verstanden?! Verstehe nämlich den Zusammenhang nicht... ?
Grüße,
Stefan Nowak
Aber ıch verstehe nichts. This was suppose to be English list and at the time being I do not have time to study German. Can we switch back to International language. Teşekkür ederim -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
hello all, thank you for your support. the question seems to be trivial, but i encountered this problem, when our server was attacked and infected with a root-kit. the kit wrote a file that i couldnt delete - and of course i was logged in as root ( thanx for the hint ;-), ok just joking). so i will test the different hints of you! again: thanx for your support! r.frechen
Von: rutger
Datum: Tue, 02 Jul 2002 18:06:52 +0200 An: Betreff: [suse-security] root-rechte hallo liste,
wie kann man eine root-datei löschen, wenn sie nur lese und ausführen für root hat - also r-x------ . vielen dank, r.frechen
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
the problem is, that i cannot delete or change a file, that was written or modified by a root-kit on our server. the normal approach doesnt work. the facts: im logged in as root. i cannot chown the file. i cannot chmod the file. i cannot rm the file.
any suggestions ?? thank you, r.frechen
If you use ext2fs on the filesystem in question, then the intruder may
have used an ext2-specific extension to keep you from removing the files.
Try lsattr on the directory and the files to see if the immutable flag was
set, and remove the flags with chattr.
Roman.
--
- -
| Roman Drahtmüller
the problem is, that i cannot delete or change a file, that was written or modified by a root-kit on our server. the normal approach doesnt work. the facts: im logged in as root. i cannot chown the file. i cannot chmod the file. i cannot rm the file. any suggestions ?? thank you, r.frechen
Von: rutger
Datum: Tue, 02 Jul 2002 19:34:42 +0200 An: Betreff: Re: [suse-security] root-rechte hello all, thank you for your support. the question seems to be trivial, but i encountered this problem, when our server was attacked and infected with a root-kit. the kit wrote a file that i couldnt delete - and of course i was logged in as root ( thanx for the hint ;-), ok just joking). so i will test the different hints of you! again: thanx for your support! r.frechen
Von: rutger
Datum: Tue, 02 Jul 2002 18:06:52 +0200 An: Betreff: [suse-security] root-rechte hallo liste,
wie kann man eine root-datei löschen, wenn sie nur lese und ausführen für root hat - also r-x------ . vielen dank, r.frechen
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Roman Drahtmueller wrote:
If you use ext2fs on the filesystem in question, then the intruder may have used an ext2-specific extension to keep you from removing the files. Try lsattr on the directory and the files to see if the immutable flag was set, and remove the flags with chattr.
But isn´t it somewhat naive to believe this machine is usable after this? I mean, he wrote about a compromised machine (rootkit). I would not trust this machine at all, and suggest a completely new install. Christian -- Ein Kreis ist ein rundes Quadrat. netzwerkplanet. --- Düsseldorf voice: 0211-9764091 mail: contact@netzwerkplanet.de PGP Key available
If you use ext2fs on the filesystem in question, then the intruder may have used an ext2-specific extension to keep you from removing the files. Try lsattr on the directory and the files to see if the immutable flag was set, and remove the flags with chattr.
But isn´t it somewhat naive to believe this machine is usable after this? I mean, he wrote about a compromised machine (rootkit). I would not trust this machine at all, and suggest a completely new install.
Heh, that's something entirely different, yes. Basically, if you run a rescue system and mount the filesystem under a different kernel, you can probably save the installation and continue running it, provided you have checksums of all files or a tripwire database. I did that once on a friend's machine, and I didn't like it because it might have been less worksome after all, but it is doable. You just can't run these checks under the same kernel as the one that's installed. It might have been trojaned. Also, you can't trust the output of any of the programs installed on the intruded system, you have to use tools from a sane system. Even if all files are verified ok (according to their checksum), people often forget that all files in the filesystems have to be checked for their membership to a package. If you don't have checksums of the rpm database, then you're basically doomed. It's always better to install the machine from scratch, even if you have cared for everything and if you only have emotional considerations to reinstall.
Christian
Roman.
--
- -
| Roman Drahtmüller
** Reply to message from Roman Drahtmueller
participants (6)
-
Christian Lox
-
jfweber@eternal.net
-
Roman Drahtmueller
-
rutger
-
Stefan Nowak
-
Togan Muftuoglu