Hi all,

> Just my 2 cents, but I also had a Red Hat 6.1 system cracked, and 6.2.=20
> The crackers got in through the ftp service.  I had to blow the boxes
> out because they changed the sticky bits on a lot of executables, and I
> don't know enough about system security to resecure the box.  But, once
> I did redo the box with 6.2, I immediately downloaded the latest ftp rpm
> from Red Hat, and ever since then, I've been paying very close attention
> to security alerts all around, and haven't been cracked since.

I've got a story about this.

I've been asked as a consultant to come in and "de-hackerize" some peoples'
systems in the past.  One time a Red Hat 6.1 system got hacked and I was
trying to replace the system binaries that got "ugpraded" with the original
copies from the install CD.

The /bin/login file was somehow locked down and no matter what I did, I
could not rename, unlink, copy over, move, or any other file operation.
I finally rebooted from a rescue CD (the install CD in rescue mode) and
ran debuge2fs or debugfs, whatever it was called, and was able to delete
the modified file.

I later found out about the ext2 fs "chattr" utility that can be used to
set the filesystem attributes for a given file or inode, and in the case
of the modified /bin/login the "immutable" and "undeletable" attributes 
had been set.  I could have used chattr to un-set these attributes and 
then I would have been able to delete, rename, etc. the file.

Naturally debugfs, with the filesystem unmounted, is the big Elephant Gun
for getting things done on an ext2 filesystem...

Read the man page for chattr for more information.  It's good stuff.

--
Jim Ockers (ockers@ockers.net)
Contact info: please see http://www.ockers.net/

Fight Spam! Join CAUCE (Coalition Against Unsolicited Commercial Email)
at http://www.cauce.org/ .