Hello all,
I have an interesting problem that I can't find having been asked about anywhere. I'll be brief: root is being denied write permission to /sbin /bin
/usr/sbin and /usr/bin.
Now, the system was compromised, and cleaned, utilities and libraries having been replaced (by us, from CD). At first, I thought the various utilities had just been replaced by the hacker (rm, mv, and so on), but we've already replaced those. And, in fact, no writes work.
Before everyone starts responding with "check the obvious" kinds of answers, let me detail what I have done (and note, the office here is a roomful of seasoned Linux admins, and we're all scratching our heads on this one).
Here's a little snippet of command line efforts:
Code:
homer:root> ls -ld /sbin
drwxr-xr-x 2 root root 4096 Apr 22 12:15 /sbin
homer:root> touch /sbin/testfile
touch: creating `/sbin/testfile': Permission denied
homer:root> echo > /sbin/testfile
/sbin/testfile: Permission denied.
But, just to make absolutely sure, I ran this:
testopen.c:
--
Code:
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
main(int argc, char **argv) {
int fd;
fd = open(argv[1], O_RDWR|O_CREAT);
perror(argv[1]);
}
--
and got:
Code:
homer:root> ./testopen /sbin/testfile
/sbin/testfile: Permission denied
That said, if you still see something obvious I've missed, please do speak up.
Otherwise, my best guess right now is that the filesystem has been tampered with. What do you guys think?
Thanks,
Cengiz