LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-20-2011, 10:35 AM   #16
m3phisto
Member
 
Registered: Mar 2010
Posts: 47

Original Poster
Rep: Reputation: 15

a workmade of mine is now on the box.
this is /usr/bin/chattr

Code:
exit

looks like we got a lot of work.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 01-20-2011, 10:45 AM   #17
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2389Reputation: 2389Reputation: 2389Reputation: 2389Reputation: 2389Reputation: 2389Reputation: 2389Reputation: 2389Reputation: 2389Reputation: 2389Reputation: 2389
Hi,
Quote:
Originally Posted by m3phisto View Post
a workmade of mine is now on the box.
this is /usr/bin/chattr

Code:
exit
looks like we got a lot of work.
That's indeed bad news.

A very optimistic look would be: Only chattr was replaced by another command, which could be replaced by a working version (remove the existing chattr and reinstall using your distro's tools). But like I stated before: Who knows what else was compromised........

I do hope you have an idea how your box was compromised and are able to make sure that doesn't happen again.

Good luck fixing/reinstalling your box!
 
Old 01-20-2011, 08:37 PM   #18
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,374

Rep: Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383
I hope you have an idea when it was compromised as well. Ie how far back to go to get clean data. BTW this only means user data; get a fresh OS install ready.
I know over in the Security Forum they prefer it if you try to analyse the problem before re-install, but if chattr has been compromised, I'd assume a lot else has been as well.
If you've got the time and inclination & expertise, make a dd copy of the relevant parts for later examination.
After that, you're best off doing a fresh install; there's no way to guarantee a clean fix otherwise.
However, do figure out how they got in before you re-install, otherwise it'll happen again(!)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Site definitely hacked. Can't delete files to restore backup. painterj Linux - Security 9 04-10-2010 07:38 AM
Posted on wrong site, could someone delete this please? magicdanw Linux - Server 5 08-04-2009 11:08 AM
[SOLVED] How to get notification when a user delete files from ftp site harikrishnan81 Solaris / OpenSolaris 2 02-28-2009 03:59 AM
LXer: Fishing for POI LXer Syndicated Linux News 0 01-29-2006 05:01 AM
Fishing for help - GDM... PhilD Linux - Newbie 4 06-11-2003 01:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 12:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration