[CLUE-Tech] Lousy no-good @!$#%@#$% (cracked)

ian iguy at ionsphere.org
Fri Feb 1 20:51:46 MST 2002 

A hint for the list.  

Trying to find all the backdoors that are installed when you get hacked
is a never-ending process.  Its highly recommended that if you are ever
hacked that you backup your data (hopefully not any RPMs, binaries or
other things of that nature).  Format and start over.  

More often than not when you get script kiddies or even the wizards
once they install one backdoor then tend to install more.

ian

On Tue, Jan 29, 2002 at 08:42:29AM -0700, Jim Ockers wrote:
> Hi all,
> 
> > Just my 2 cents, but I also had a Red Hat 6.1 system cracked, and 6.2.=20
> > The crackers got in through the ftp service.  I had to blow the boxes
> > out because they changed the sticky bits on a lot of executables, and I
> > don't know enough about system security to resecure the box.  But, once
> > I did redo the box with 6.2, I immediately downloaded the latest ftp rpm
> > from Red Hat, and ever since then, I've been paying very close attention
> > to security alerts all around, and haven't been cracked since.
> 
> I've got a story about this.
> 
> I've been asked as a consultant to come in and "de-hackerize" some peoples'
> systems in the past.  One time a Red Hat 6.1 system got hacked and I was
> trying to replace the system binaries that got "ugpraded" with the original
> copies from the install CD.
> 
> The /bin/login file was somehow locked down and no matter what I did, I
> could not rename, unlink, copy over, move, or any other file operation.
> I finally rebooted from a rescue CD (the install CD in rescue mode) and
> ran debuge2fs or debugfs, whatever it was called, and was able to delete
> the modified file.
> 
> I later found out about the ext2 fs "chattr" utility that can be used to
> set the filesystem attributes for a given file or inode, and in the case
> of the modified /bin/login the "immutable" and "undeletable" attributes 
> had been set.  I could have used chattr to un-set these attributes and 
> then I would have been able to delete, rename, etc. the file.
> 
> Naturally debugfs, with the filesystem unmounted, is the big Elephant Gun
> for getting things done on an ext2 filesystem...
> 
> Read the man page for chattr for more information.  It's good stuff.
> 
> --
> Jim Ockers (ockers at ockers.net)
> Contact info: please see http://www.ockers.net/
> 
> Fight Spam! Join CAUCE (Coalition Against Unsolicited Commercial Email)
> at http://www.cauce.org/ .
> 
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech

More information about the clue-tech mailing list