[Techtalk] undeletable files

Kai MacTane kmactane at GothPunk.com
Tue Mar 26 12:31:25 EST 2002


At 3/26/02 10:29 AM , Sini Mäkeläzk wrote:

>There is *nothing* you can trust in your current system, thus there is
>no other way to make it secure again, than reinstall it.

Exactly. While it's most likely that the two files you can't delete are 
simply chattr'd, it's also conceivable that rm has been patched by the 
intruder. Other system binaries that are usually altered by crackers 
include: ls, top, ps, w, who, and even syslogd. This way, ls won't list the 
files they don't want you to see, ps and top won't show you the intruder's 
processes, and w and who won't show you when they're logged in. Syslogd 
won't log anything they don't want logged (and they usually zero out the 
logs anyway, leaving you nothing to track them down with). Indeed, having a 
variety of log files at zero byte-size is a great indicator of having been 
cracked.

>I know it sounds unreasonable and might cause severe data loss if you 
>haven't made back-ups, but it's really the only way. I'm sorry.

That's what I did recently to get rid of an intruder. Backed up /home, 
/etc, /var/named/zones, /usr/local, and a variety of other places, then 
nuked *everything* and reinstalled. I also changed my partition structure 
around some while I was doing it. Then I reinstalled, and mostly used the 
backed up files as notes when dealing with the new ones. (The various Perl 
scripts I'd created in /usr/local/s?bin, and the zone files, of course I 
could just copy back to their proper locations. Users' homedirs appeared fine.)

                                                 --Kai MacTane
----------------------------------------------------------------------
"When the clouds pull apart/And the Moon changes phases,
  In the quiet, secret places/Are you there? Are you there?"
                                                 --Concrete Blonde,
                                                  "Darkening of the
                                                   Light"




More information about the Techtalk mailing list