Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Mon, 16 Jul 2001 04:17:26 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Mon, 16 Jul 2001 04:17:16 -0400 Received: from hawk.mail.pas.earthlink.net ([207.217.120.22]:26109 "EHLO hawk.mail.pas.earthlink.net") by vger.kernel.org with ESMTP id ; Mon, 16 Jul 2001 04:17:04 -0400 Date: Mon, 16 Jul 2001 03:16:56 -0500 From: J Troy Piper To: Alex Buell Cc: Alexander Viro , "Albert D. Cahalan" , Adam , Mailing List - Linux Kernel Subject: Re: Duplicate '..' in /lib Message-ID: <20010716031656.D1391@dok.org> In-Reply-To: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="oC1+HKm2/end4ao3" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from alex.buell@tahallah.demon.co.uk on Mon, Jul 16, 2001 at 07:30:01AM +0100 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org --oC1+HKm2/end4ao3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > As it turns out, the extraneous '..' is actually a file. I did a rm ..*, > which left the original .. directory alone but removed the .. file. Did a > e2fsck on reboot, no problems found. >=20 Yes, good to remove the file, but now my main concern is that your system= =20 may have been compromised as the old ".." dir-not-really file entry may=20 have other connotations. It is definately a possibility of a cracked=20 system (as the .. file appears in many new r00tkit type exploits.) i would= =20 do some extensive forensics on the machine in question. are there new=20 entries in /etc/passwd or /etc/shadow that shouldn't be there? =20 DISCLAIMER - I am not insisting your machine was compromised, but why be=20 lax about it? Check the system in every way possible to determine if=20 someone has cracked and installed a r00tkit on your box. just getting rid= =20 of the single .. entry may not be enough. look for other suspicious=20 files, keep copies of them before deleting the ones available to the=20 public in /lib or /usr or whatever, and check out any suspicious files=20 that were created/modified/accessed in the same window (5 or 6 minuites)=20 as the double .. entry in /lib it sounds to me like someone MAY have been trying to replace system lib=20 files, or even perhaps load malicious kernel code in modules. at my job,= =20 this system would be immediately taken off the 'production line' until a=20 thorough examination/investigation can be done. check logins around the=20 ctime of the original .. creation and compare with who was logged in etc=20 etc. this may be nothing, it may be a nasty kernel bug, or it may be malicious= =20 hackers attampting to pull the wool over your eyes. be PARANOID in any situation in which your machine MAY have been=20 compromised and persue the forensic evidence until you hit a titanium wall (a brick wall can be easily broken down).=20 If you have no idea where to go from here, send me email logs of what has= =20 been found and i will give it my best shot at determining whether this is= =20 a kernel bug (which i would assume would've been caught and dealt with by= =20 now), or a nasty attack involving a rootkit, so the 'attackers' can regain= =20 access to the system. Start with "netstat --inet -a" and see if you find any open ports that=20 shouldn't be open. That would be the first indication of a rootkit that=20 allows the rootkitter (person installing the rootkit) to regain access to= =20 the system even after it has been 'locked down'. =20 rootkits are well know for leaving SEVERAL backdoors so that if one is=20 found, the attacker still has multiple ways to re-enter and re-penetrate=20 the system.=20 ---- J Troy Piper jtp@dok.org PS - sorry about the FUD slam about 'the evil cracker' but we all know=20 they DO exist, and the weaker the admin, the easier it is to take=20 advantage of the systems under the admin's control. --oC1+HKm2/end4ao3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7UqL3Cf6/EIKZzbMRAhmxAKDe6dQv9xlHx/i5L+GAdOq32jDySwCfQr+6 U7PN8S+OESwJZ6diDOpguXg= =zspi -----END PGP SIGNATURE----- --oC1+HKm2/end4ao3-- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/