[NTLUG:Discuss] root can not edit hosts.deny file
Kenneth Loafman
ken at lt.com
Fri Jun 13 10:38:40 CDT 2003
Jack Snodgrass wrote:
> On Fri, 13 Jun 2003 13:45:26 +0000, m m wrote:
>
>
>>Hi All:
>>
>>there is a weird (at least to me) thing happen on my RH 6.2 box.
>>
>>I tried to edit the hosts.deny, and get not permission error.
>>check it with ls -l
>>
>>-rw-r--r-- root root .... hosts.deny
>>
>>of course I login as root.
>>
>>I can't mv this file to other name either.
>>
>>what's wrong? please help.
>>
>>thanks.
>>
>
>
>
> do an
> lsattr /etc/hosts.deny
> ( list attributes ) and see if the 'i' bit is set on your
> /etc/hosts.deny file.
>
> You can use chattr to set the 'i' bit on a file ( lsattr shows
> attributes ) and make a file non-writable by ANYONE. This doesn't
> show up in the normal ls -lart listing. You have to use lsattr to
> see what files have the 'i' bit set on them.
When you system has been 'rooted' by a cracker, sometimes the only clues
are that the ls, ps, find, and other status commands have been chattr'ed
to 'i' after they replace them with special versions that do not show
the processes or files they have installed on your system. If you find
a bunch of these files with 'i' attr's, you need to reformat and
reinstall to be safe.
If you feel like exploring, isolate the system from the network and
explore away, but unless you reinstall, you're still susceptable to
having the cracker take over your system for a DDOS.
...Ken
More information about the Discuss
mailing list