LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-01-2002, 06:07 AM   #1
petkok
LQ Newbie
 
Registered: Mar 2002
Posts: 4

Rep: Reputation: 0
Exclamation mirkforce & in.ftpd


Hi all,
i'm running redhat 7.1 and a'm almost full beginner in that OS.
3 mounts ago my machine was
hacked and the hacker was running "mirkforce" on it. I've tried to
do my best to prevent this in future:
1. i changed passwords of all users(root,me and one my colleague)
2. I stopped all services i dont know what they do
3. I put a simple script in /etc/profile lets send me email when somebody logs into the system
4. I try do download new rpms from ftp.redhat.com to upgrade the system.
The problem is that hacker uploaded again mirkforce in
/usr/include/.t/mf/mirkforce in somaway. My script send me email
that somebody is login from root buf "who" command in the script
had an empty output for that user. I think that hacker uses some back door in apache or wu-ftpd. I succeed to upgrade apache server but when i tried to do same for ftp-server i received such result:
[root@acstre petko]# rpm -U wu-ftpd-2.6.1-16.7x.1.i386.rpm
warning: /etc/ftpaccess saved as /etc/ftpaccess.rpmorig
warning: /etc/ftpconversions saved as /etc/ftpconversions.rpmorig
warning: /etc/ftpgroups saved as /etc/ftpgroups.rpmorig
warning: /etc/ftphosts saved as /etc/ftphosts.rpmorig
warning: /etc/ftpusers saved as /etc/ftpusers.rpmorig
warning: /etc/logrotate.d/ftpd saved as /etc/logrotate.d/ftpd.rpmorig
warning: /etc/pam.d/ftp saved as /etc/pam.d/ftp.rpmorig
warning: /etc/xinetd.d/wu-ftpd created as /etc/xinetd.d/wu-ftpd.rpmnew
error: can't rename /usr/sbin/in.ftpd to /usr/sbin/in.ftpd-RPMDELETE: Operation not permitted
error: unpacking of archive failed on file /usr/sbin/in.ftpd: cpio: unlink failed - Operation not permitted

I tried to remove /usr/sbin/in.ftpd manually but the result was the same:
[root@acstre petko]# ls -l /usr/sbin/in.ftpd
total 292
-rwxr-xr-x 1 bin bin 173916 Mar 18 19:03 /usr/sbin/in.ftpd
[root@acstre petko]# rm -f /usr/sbin/in.ftpd
rm: cannot unlink `/usr/sbin/in.ftpd': Operation not permitted

I hope somebody will help me with suggestion what to do
With best regards
Petko Kapralyakov

PS.
It seems i'm afected by "LKM Trojan"
my be i have to reinstall the system

PS.
Citate:
"Yes, they used the extra attributes of the linux e2fs. lsattr list the extra attributes, and chattr changes them. The man pages for these two commands should help you solve the problem."
Thanks to Jan van Rensburg for the help.
Petko

Last edited by petkok; 04-16-2002 at 08:53 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
pure-ftpd & ntfs problem fr_laz Linux - Networking 0 01-25-2005 12:55 PM
authentication & file sharing using pure-ftpd & suse 9.0 dopper Linux - Software 1 08-13-2004 11:19 AM
ftpd & slack? herc Slackware 2 01-12-2004 12:05 AM
Wu-Ftpd & Subnets! Dr Solomon Linux - Software 0 06-16-2002 07:09 AM
wu-ftpd & anonftp robinhood1995 Linux - General 4 04-28-2002 12:26 AM


All times are GMT -5. The time now is 04:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration