[olug] lsattr
Brian Roberson
brian at bstc.net
Sat Sep 16 22:51:20 UTC 2000
----- Original Message -----
From: "Mike McNally" <mmcnally3 at prodigy.net>
To: <olug at bstc.net>
Sent: Saturday, September 16, 2000 1:45 PM
Subject: Re: [olug] lsattr
>
> So if my system were more secure the command, that Brian suggests that I
> run, would have shown log files to be immutable... which is good, not
> bad as he implies. Further, to run the command he suggests:
> chattr -i ${AFFECTED_FILE}
> would unset the immutable bit, placed on logfiles to enhance security,
> thus reducing security. Is this the point where I should be thanking
> you Brian?
The point was that most root kits do this:
cp $COMPROMISED_FILE /bin/ps ( or netstat, or top, or inetd, or anyother bin
that would let you find out problems woth your system.... etc.....)
chattr +i $COMPROMISED_FILE
hence, when you try to get rid of the affected file, they are immutable...
so, the point I was trying to make: DO YOU HAVE BINARIES THAT ARE
IMUTABLE???....... YOU MAY HAVE A ROOT KIT INSTALLED... DIG DEEPER!!!
---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net
More information about the OLUG
mailing list