[NTLUG:Discuss] root can not edit hosts.deny file
m m
llliiilll at hotmail.com
Tue Jun 17 12:15:42 CDT 2003
Hi All:
Thanks for the tip.
I have checked all files ind /var, /etc directories, the /etc/hosts.deny is
the only file was set to i.
what is the possibility that the box has been "rooted"?
what are the other files that the hacker like to modify/changes?
thanks
Jack Snodgrass wrote:
>On Fri, 13 Jun 2003 13:45:26 +0000, m m wrote:
>
>
>>Hi All:
>>
>>there is a weird (at least to me) thing happen on my RH 6.2 box.
>>
>>I tried to edit the hosts.deny, and get not permission error.
>>check it with ls -l
>>
>>-rw-r--r-- root root .... hosts.deny
>>
>>of course I login as root.
>>
>>I can't mv this file to other name either.
>>
>>what's wrong? please help.
>>
>>thanks.
>>
>
>
>
>do an lsattr /etc/hosts.deny ( list attributes ) and see if the 'i' bit is
>set on your
>/etc/hosts.deny file.
>
>You can use chattr to set the 'i' bit on a file ( lsattr shows attributes )
>and make a file non-writable by ANYONE. This doesn't
>show up in the normal ls -lart listing. You have to use lsattr to see what
>files have the 'i' bit set on them.
When you system has been 'rooted' by a cracker, sometimes the only clues
are that the ls, ps, find, and other status commands have been chattr'ed
to 'i' after they replace them with special versions that do not show
the processes or files they have installed on your system. If you find
a bunch of these files with 'i' attr's, you need to reformat and
reinstall to be safe.
If you feel like exploring, isolate the system from the network and
explore away, but unless you reinstall, you're still susceptable to
having the cracker take over your system for a DDOS.
...Ken
>From: lee <lee at brave.com>
>To: m m <llliiilll at hotmail.com>, discuss at ntlug.org
>Subject: Re: [NTLUG:Discuss] root can not edit hosts.deny file
>Date: Fri, 13 Jun 2003 09:08:07 -0500
>
>Quoting m m <llliiilll at hotmail.com>:
> > Hi All:
> >
> > there is a weird (at least to me) thing happen on my RH 6.2 box.
> >
> > I tried to edit the hosts.deny, and get not permission error.
> > check it with ls -l
> >
> > -rw-r--r-- root root .... hosts.deny
> >
> > of course I login as root.
> >
> > I can't mv this file to other name either.
> >
> > what's wrong? please help.
>
>
>be very scared. it is likely that your pc has had its security
>compromised.
>
>man chattr - pay attention to the "i" attribute.
>
>RH 6.2 default installations are extremely vulnerable to cracking
>exploitations
>- so unless you've really really kept up with all the security updates and
>have
>aggressively locked down the security of that box, it might be time to
>reformat
>and upgrade to RH 9 or something.
>
>-- lee
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus
More information about the Discuss
mailing list