LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-30-2004, 01:20 PM   #1
netmar
LQ Newbie
 
Registered: Jul 2004
Location: Durham, NC
Distribution: Ubuntu 10.04 (I'd rather use Gentoo)
Posts: 23

Rep: Reputation: 3
Angry Directory access denied to root user: inode hack?


Hello all,
I have an interesting problem that I can't find having been asked about anywhere. I'll be brief: root is being denied write permission to /sbin /bin
/usr/sbin and /usr/bin.

Now, the system was compromised, and cleaned, utilities and libraries having been replaced (by us, from CD). At first, I thought the various utilities had just been replaced by the hacker (rm, mv, and so on), but we've already replaced those. And, in fact, no writes work.

Before everyone starts responding with "check the obvious" kinds of answers, let me detail what I have done (and note, the office here is a roomful of seasoned Linux admins, and we're all scratching our heads on this one).

Here's a little snippet of command line efforts:

Code:
homer:root> ls -ld /sbin
drwxr-xr-x   2 root     root         4096 Apr 22 12:15 /sbin
homer:root> touch /sbin/testfile
touch: creating `/sbin/testfile': Permission denied
homer:root> echo > /sbin/testfile
/sbin/testfile: Permission denied.
But, just to make absolutely sure, I ran this:
testopen.c:
--
Code:
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

main(int argc, char **argv) {
  int fd;

  fd = open(argv[1], O_RDWR|O_CREAT);
  perror(argv[1]);
}
--
and got:
Code:
homer:root> ./testopen /sbin/testfile
/sbin/testfile: Permission denied
That said, if you still see something obvious I've missed, please do speak up.

Otherwise, my best guess right now is that the filesystem has been tampered with. What do you guys think?

Thanks,
Cengiz
 
Old 07-30-2004, 01:27 PM   #2
rgiggs
Member
 
Registered: Apr 2004
Location: berkeley, ca
Distribution: slk10, winxp
Posts: 313

Rep: Reputation: 30
ok, it's a wild guess. the partition is mounted read-only?
 
Old 07-31-2004, 04:53 AM   #3
Cerbere
Member
 
Registered: Dec 2002
Location: California
Distribution: Slackware & LFS
Posts: 799

Rep: Reputation: 33
Re: Directory access denied to root user: inode hack?

Quote:
Originally posted by netmar
Now, the system was compromised, and cleaned, utilities and libraries having been replaced (by us, from CD). At first, I thought the various utilities had just been replaced by the hacker (rm, mv, and so on), but we've already replaced those. And, in fact, no writes work.

Before everyone starts responding with "check the obvious" kinds of answers, let me detail what I have done (and note, the office here is a roomful of seasoned Linux admins, and we're all scratching our heads on this one).
Someone in your roomful of seasoned admins should have realized that a 'compromised' system can only be 'cleaned' by reformatting and re-installing.

Enjoy!
--- Cerbere
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Sarge mysql-server Access denied for user: root@localhost infinity432 Linux - Software 2 05-18-2005 11:42 PM
can not access directory from user account - only root walterbyrd Linux - General 1 03-04-2005 11:23 PM
why I got "Access denied for user: 'root@localhost'" likedreamer Red Hat 1 11-09-2003 05:06 AM
Access denied to 'Home' directory aviceda Linux - Newbie 2 11-07-2003 01:48 PM
getting access denied , when trying to access camera as normal user bennythepitbull Linux - Hardware 2 11-04-2003 02:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration