[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] hacked raq

Subject: RE: [cobalt-users] hacked raq
From: "GPS" <gps@xxxxxxxxxxxxxx>
Date: Sat Feb 24 10:30:04 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

>Thanks Dude.  That got my login back back from bad!
>
>Ciao
>Randy
>
>+Subject: [cobalt-users] hacked raq
>+
>+
>+I tried to re-install via rpm the util-linux, but the message I
>+get from the
>+RAQ3 is that it can't rename or move /bin/login.  Any ideas, short of total
>+restore?  Thanks!
>+
>+
>+Ciao
>+Randy
>
>Try:
>
>$root chattr = /bin/login
>
>or
>
>$root chattr -isa /bin/login
>

No problem. 

Most of the r00t kits seem to be using the chattr command to protect their hacked files.
4 out of 5 advanced linux geek friends were not immediatly familiar with the chattr command.
Maybe they're not that advanced or it's just not used that much. 

It's in the O'Reilly Linux in a Nutshell book. 
You can see from the list of Attributes why hackers find chattr very useful

chattr [options] mode files
Modify file attribute. Specific to Linux Second Extended File Systems. Behaves similiarly to
chmod using +, - and =; mode is in the form opcode attribute

Options
-R Modify directories and their contents recursively
-V Print modes of attributes after changing them
-v version Set the file's version

Opcodes
+ Add attribute
- Remove attribute
= Assign attributes (removing unspecified attributes)

Attributes

A Don't update atime on modify
a Append only
c Compressed
d no dump
i Immutable
s Secure deletion
u UNDELETABLE
S Synchronous updates

References:
- RE: [cobalt-users] hacked raq
  - From: Randy Davis

Prev by Date: [cobalt-users] uninstalling/installing mysql
Next by Date: [cobalt-users] RaQ4: Microsoft Access and ASP
Previous by thread: RE: [cobalt-users] hacked raq
Next by thread: RE: [cobalt-users] hacked raq

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index