[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hacked: .bash_history linked somewhere



On Fri, Nov 07, 2003 at 10:45:32AM -0800, Mike Egglestone wrote:
> Hi,
> My server was trojaned recently, not sure how.
> It looks like /bin/ps was modified or replaced with
> a trojan. 

Out of curiosity--how can you tell?

> The /root/.bash_history file is set to this:
> 
> chsslx1:~# ls -la .bash_history
> -rw-r--r--    1 root     root            0 Nov  7 05:31 .bash_history
> 
> and I can't edit it or delete it.
> It looks like its linked somewhere:
> 
> chsslx1:~# rm .bash_history
> rm: remove write-protected file `.bash_history'? y
> rm: cannot unlink `.bash_history': Operation not permitted
> 
> First off, nothing to much was compromised. Only /etc/samba/* was wiped.
> (There may be more stuff but haven't detected yet)

Indeed.

> It seems that the only way to recover is to re-install?

Yes.  You can never 

> How does this happen in the first place? Does someone need to steal the root 
> password and login and plant the trojan, or could this be remotely exploited 
> through a security hole in one of my installed packages?

Could be.

> I don't understand how files can get overwritten with out manually doing it.

What lead you to believe there was a compromise in the first place?

Once you decide it was compromised, there's nothing you can do but start
over (very carefuly!) from scratch.  It's hard to know for sure that
you've found all the backdoors.--b.



Reply to: