Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 04-01-2002, 07:07 AM   #1
LQ Newbie
Registered: Mar 2002
Posts: 4

Rep: Reputation: 0
Exclamation mirkforce & in.ftpd

Hi all,
i'm running redhat 7.1 and a'm almost full beginner in that OS.
3 mounts ago my machine was
hacked and the hacker was running "mirkforce" on it. I've tried to
do my best to prevent this in future:
1. i changed passwords of all users(root,me and one my colleague)
2. I stopped all services i dont know what they do
3. I put a simple script in /etc/profile lets send me email when somebody logs into the system
4. I try do download new rpms from to upgrade the system.
The problem is that hacker uploaded again mirkforce in
/usr/include/.t/mf/mirkforce in somaway. My script send me email
that somebody is login from root buf "who" command in the script
had an empty output for that user. I think that hacker uses some back door in apache or wu-ftpd. I succeed to upgrade apache server but when i tried to do same for ftp-server i received such result:
[root@acstre petko]# rpm -U wu-ftpd-2.6.1-16.7x.1.i386.rpm
warning: /etc/ftpaccess saved as /etc/ftpaccess.rpmorig
warning: /etc/ftpconversions saved as /etc/ftpconversions.rpmorig
warning: /etc/ftpgroups saved as /etc/ftpgroups.rpmorig
warning: /etc/ftphosts saved as /etc/ftphosts.rpmorig
warning: /etc/ftpusers saved as /etc/ftpusers.rpmorig
warning: /etc/logrotate.d/ftpd saved as /etc/logrotate.d/ftpd.rpmorig
warning: /etc/pam.d/ftp saved as /etc/pam.d/ftp.rpmorig
warning: /etc/xinetd.d/wu-ftpd created as /etc/xinetd.d/wu-ftpd.rpmnew
error: can't rename /usr/sbin/in.ftpd to /usr/sbin/in.ftpd-RPMDELETE: Operation not permitted
error: unpacking of archive failed on file /usr/sbin/in.ftpd: cpio: unlink failed - Operation not permitted

I tried to remove /usr/sbin/in.ftpd manually but the result was the same:
[root@acstre petko]# ls -l /usr/sbin/in.ftpd
total 292
-rwxr-xr-x 1 bin bin 173916 Mar 18 19:03 /usr/sbin/in.ftpd
[root@acstre petko]# rm -f /usr/sbin/in.ftpd
rm: cannot unlink `/usr/sbin/in.ftpd': Operation not permitted

I hope somebody will help me with suggestion what to do
With best regards
Petko Kapralyakov

It seems i'm afected by "LKM Trojan"
my be i have to reinstall the system

"Yes, they used the extra attributes of the linux e2fs. lsattr list the extra attributes, and chattr changes them. The man pages for these two commands should help you solve the problem."
Thanks to Jan van Rensburg for the help.

Last edited by petkok; 04-16-2002 at 09:53 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
pure-ftpd & ntfs problem fr_laz Linux - Networking 0 01-25-2005 01:55 PM
authentication & file sharing using pure-ftpd & suse 9.0 dopper Linux - Software 1 08-13-2004 12:19 PM
ftpd & slack? herc Slackware 2 01-12-2004 01:05 AM
Wu-Ftpd & Subnets! Dr Solomon Linux - Software 0 06-16-2002 08:09 AM
wu-ftpd & anonftp robinhood1995 Linux - General 4 04-28-2002 01:26 AM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 08:45 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration