Re: Rooted? Could anything innocently alter the "i" flag?
On Mon, Mar 22, 2004 at 08:06:49PM +0000, Anthony Campbell wrote:
> On 22 Mar 2004, Brian Brazil wrote:
> > On Mon, Mar 22, 2004 at 06:21:25PM +0000, Anthony Campbell wrote:
> > > Recently I found that the "i" flag had been set on /bin/ps. I removed it
> > > with chattr -i. Now the flag has reappeared!
> > >
> > > Is there any way this could conceivably happen innocently following
> > > routine upgrades via aptitude? Do I have to do a complete reinstall?
> >
> > Weird ideas that probably won't work:
> > 1) chattr +i /bin - look for error messages
> > 2) Any of the bastille packages installed?
> > 3) lsof?
> > 4) fix chattr, reinstall, get md5sum, wait
> >
> > Brian
> >
>
> I'm open to all suggestions!
>
> I did have bastille installed at one stage but not now.
> I don't know anything much about lsof or why it might do this.
lsof: list all opened files. Theory: any rootkit trying to do chattr +i
probably writes it => opens it. Whole pile of race conditions involved
though. I did say weird ideas.
> I'll have to research chattr; I don't know what package it belongs to.
e2fsprogs would be my guess. 'dpkg -S chattr'
> I can't find anything else, so far, that's unusual apart from this, so
> I'm rather reluctant to go to radical steps like reinstalling
> everything. I compared /bin/ps on another machine which is OK; this was
> exactly the same length and date.
I said md5sum for a reason. Even a checksum would be nice. See
RFC1680(?) - MD5, RFC1750 - Randomness recomendations for security.
Essentially date(touch) and file size(echo >>) are easy to modify.
With a one way hashing algorithm though its more difficult to get the
right answer with a bad file.
Of course a good rootkit would supply you with a copy of the old 'ps'
but run the new one. Think 'fakeroot' but on the kernel level(ish).
If you can, pull the disk out of the machine, put it in another, MOUNT
READONLY and chkroot/md5. And install aide etc. (must do that myself).
Brian
Reply to: