LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Directory access denied to root user: inode hack? (https://www.linuxquestions.org/questions/linux-security-4/directory-access-denied-to-root-user-inode-hack-211545/)

netmar 07-30-2004 01:20 PM
Directory access denied to root user: inode hack?
 
Hello all,
I have an interesting problem that I can't find having been asked about anywhere. I'll be brief: root is being denied write permission to /sbin /bin
/usr/sbin and /usr/bin.

Now, the system was compromised, and cleaned, utilities and libraries having been replaced (by us, from CD). At first, I thought the various utilities had just been replaced by the hacker (rm, mv, and so on), but we've already replaced those. And, in fact, no writes work.

Before everyone starts responding with "check the obvious" kinds of answers, let me detail what I have done (and note, the office here is a roomful of seasoned Linux admins, and we're all scratching our heads on this one).

Here's a little snippet of command line efforts:

Code:
homer:root> ls -ld /sbin
drwxr-xr-x  2 root    root        4096 Apr 22 12:15 /sbin
homer:root> touch /sbin/testfile
touch: creating `/sbin/testfile': Permission denied
homer:root> echo > /sbin/testfile
/sbin/testfile: Permission denied.
But, just to make absolutely sure, I ran this:
testopen.c:
--
Code:
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

main(int argc, char **argv) {
  int fd;

  fd = open(argv[1], O_RDWR|O_CREAT);
  perror(argv[1]);
}
--
and got:
Code:
homer:root> ./testopen /sbin/testfile
/sbin/testfile: Permission denied
That said, if you still see something obvious I've missed, please do speak up.

Otherwise, my best guess right now is that the filesystem has been tampered with. What do you guys think?

Thanks,
Cengiz

rgiggs 07-30-2004 01:27 PM
ok, it's a wild guess. the partition is mounted read-only?

Cerbere 07-31-2004 04:53 AM
Re: Directory access denied to root user: inode hack?
 
Quote:
Originally posted by netmar
Now, the system was compromised, and cleaned, utilities and libraries having been replaced (by us, from CD). At first, I thought the various utilities had just been replaced by the hacker (rm, mv, and so on), but we've already replaced those. And, in fact, no writes work.

Before everyone starts responding with "check the obvious" kinds of answers, let me detail what I have done (and note, the office here is a roomful of seasoned Linux admins, and we're all scratching our heads on this one).
Someone in your roomful of seasoned admins should have realized that a 'compromised' system can only be 'cleaned' by reformatting and re-installing.

Enjoy!
--- Cerbere


All times are GMT -5. The time now is 06:19 AM.