root-rechte - openSUSE Security - openSUSE Mailing Lists

newer
Gobbles Apache Exploit

root-rechte

older
SuSE-SA:2002:023

rutger

2 Jul 2002 2 Jul '02

16:06

hallo liste, wie kann man eine root-datei löschen, wenn sie nur lese und ausführen für root hat - also r-x------ . vielen dank, r.frechen

Reply

Sign in to reply online Use email software

Show replies by thread

Stefan Nowak

2 Jul 2 Jul

16:02

New subject: [suse-security] root-rechte

rutger schrieb:

hallo liste,

wie kann man eine root-datei löschen, wenn sie nur lese und ausführen für root hat - also r-x------ . vielen dank, r.frechen

Hi Schreiber, Mit rm wenn Du schreibrechte für das Verzeichnis hast, in dem die Datei liegt. Oder habe ich die Frage absolut falsch verstanden?! Verstehe nämlich den Zusammenhang nicht... ? Grüße, Stefan Nowak

Reply

Sign in to reply online Use email software

Togan Muftuoglu

16:17

New subject: [suse-security] root-rechte

* Stefan Nowak; on 02 Jul, 2002 wrote:

rutger schrieb:

...
hallo liste,

wie kann man eine root-datei löschen, wenn sie nur lese und ausführen für root hat - also r-x------ . vielen dank, r.frechen

Hi Schreiber,

Mit rm wenn Du schreibrechte für das Verzeichnis hast, in dem die Datei liegt. Oder habe ich die Frage absolut falsch verstanden?! Verstehe nämlich den Zusammenhang nicht... ?

Grüße,

Stefan Nowak

Aber ıch verstehe nichts. This was suppose to be English list and at the time being I do not have time to study German. Can we switch back to International language. Teşekkür ederim -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx

Reply

Sign in to reply online Use email software

rutger

17:34

New subject: [suse-security] root-rechte

hello all, thank you for your support. the question seems to be trivial, but i encountered this problem, when our server was attacked and infected with a root-kit. the kit wrote a file that i couldnt delete - and of course i was logged in as root ( thanx for the hint ;-), ok just joking). so i will test the different hints of you! again: thanx for your support! r.frechen

Von: rutger Datum: Tue, 02 Jul 2002 18:06:52 +0200 An: Betreff: [suse-security] root-rechte

hallo liste,

wie kann man eine root-datei löschen, wenn sie nur lese und ausführen für root hat - also r-x------ . vielen dank, r.frechen

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Reply

Sign in to reply online Use email software

Roman Drahtmueller

17:55

New subject: [suse-security] root cant delete file

the problem is, that i cannot delete or change a file, that was written or modified by a root-kit on our server. the normal approach doesnt work. the facts: im logged in as root. i cannot chown the file. i cannot chmod the file. i cannot rm the file.

any suggestions ?? thank you, r.frechen

If you use ext2fs on the filesystem in question, then the intruder may have used an ext2-specific extension to keep you from removing the files. Try lsattr on the directory and the files to see if the immutable flag was set, and remove the flags with chattr. Roman. -- - - | Roman Drahtmüller // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -

Reply

Sign in to reply online Use email software

rutger

17:59

New subject: [suse-security] root cant delete file

the problem is, that i cannot delete or change a file, that was written or modified by a root-kit on our server. the normal approach doesnt work. the facts: im logged in as root. i cannot chown the file. i cannot chmod the file. i cannot rm the file. any suggestions ?? thank you, r.frechen

Von: rutger Datum: Tue, 02 Jul 2002 19:34:42 +0200 An: Betreff: Re: [suse-security] root-rechte

hello all, thank you for your support. the question seems to be trivial, but i encountered this problem, when our server was attacked and infected with a root-kit. the kit wrote a file that i couldnt delete - and of course i was logged in as root ( thanx for the hint ;-), ok just joking). so i will test the different hints of you! again: thanx for your support! r.frechen

...
Von: rutger Datum: Tue, 02 Jul 2002 18:06:52 +0200 An: Betreff: [suse-security] root-rechte

hallo liste,

wie kann man eine root-datei löschen, wenn sie nur lese und ausführen für root hat - also r-x------ . vielen dank, r.frechen

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Reply

Sign in to reply online Use email software

Christian Lox

18:04

New subject: [suse-security] root cant delete file

Roman Drahtmueller wrote:

If you use ext2fs on the filesystem in question, then the intruder may have used an ext2-specific extension to keep you from removing the files. Try lsattr on the directory and the files to see if the immutable flag was set, and remove the flags with chattr.

But isn´t it somewhat naive to believe this machine is usable after this? I mean, he wrote about a compromised machine (rootkit). I would not trust this machine at all, and suggest a completely new install. Christian -- Ein Kreis ist ein rundes Quadrat. netzwerkplanet. --- Düsseldorf voice: 0211-9764091 mail: contact@netzwerkplanet.de PGP Key available

Reply

Sign in to reply online Use email software

Roman Drahtmueller

18:18

New subject: [suse-security] root cant delete file

...
If you use ext2fs on the filesystem in question, then the intruder may have used an ext2-specific extension to keep you from removing the files. Try lsattr on the directory and the files to see if the immutable flag was set, and remove the flags with chattr.

But isn´t it somewhat naive to believe this machine is usable after this? I mean, he wrote about a compromised machine (rootkit). I would not trust this machine at all, and suggest a completely new install.

Heh, that's something entirely different, yes. Basically, if you run a rescue system and mount the filesystem under a different kernel, you can probably save the installation and continue running it, provided you have checksums of all files or a tripwire database. I did that once on a friend's machine, and I didn't like it because it might have been less worksome after all, but it is doable. You just can't run these checks under the same kernel as the one that's installed. It might have been trojaned. Also, you can't trust the output of any of the programs installed on the intruded system, you have to use tools from a sane system. Even if all files are verified ok (according to their checksum), people often forget that all files in the filesystems have to be checked for their membership to a package. If you don't have checksums of the rpm database, then you're basically doomed. It's always better to install the machine from scratch, even if you have cared for everything and if you only have emotional considerations to reinstall.

Christian

Roman. -- - - | Roman Drahtmüller // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -

Reply

Sign in to reply online Use email software

jfweber＠eternal.net

3 Jul 3 Jul

04:36

New subject: [suse-security] root cant delete file

** Reply to message from Roman Drahtmueller on Tue, 2 Jul 2002 20:18:08 +0200 (MEST) Roman wrote : **> But isn´t it somewhat naive to believe this machine is usable after **> this? I mean, he wrote about a compromised machine (rootkit). **> I would not trust this machine at all, and suggest a completely new **> install. ** **Heh, that's something entirely different, yes. **Basically, if you run a rescue system and mount the filesystem under a **different kernel, you can probably save the installation and continue **running it, provided you have checksums of all files or a tripwire **database. Hi gang.. pardon me for jumping in here .. but isn't this a question that arises often enough that one *should* have secure DATA backups , and , indeed, records of the way the box is set up . That way, in the event this unhappy situation occurs again ; there is no question of what to do... take the comprimised box down, immediately . Offl the internet ANd disconnect from your intranet. IF you are in an office or other situation where you need your boxes up "live" all the time, you probably should have some sort of backup box available anyway... ;-) But it seems pretty obvious; from a casual perusal, of message boards where the haxsors like to play, they aren't content w/ getting just one box in a network ... leaving a rootkited box up and connected to the rest of your intra net most likely means you will be doing reinstalls on all your boxes, you'll just be doing it sequentially .. <sigh> That is an even bigger PITA , no? It would be nice to have a template to get out of these unfortunate situations. But circumstances vary so much a template would have only the most basic information. ;-/ For Offices ( large or small ) taking a box down or offline , is a chaotic event for all concerned. It is a good thing we have so many folks here who actually care about security <G> just my $02 j afterthought COFFEE.EXE missing - insert cup and press any key ...

Reply

Sign in to reply online Use email software

7974

Age (days ago)

7975

Last active (days ago)

Download

8 comments

6 participants

tags

participants (6)

Christian Lox
jfweber＠eternal.net
Roman Drahtmueller
rutger
Stefan Nowak
Togan Muftuoglu