On Thu, Dec 30, 2010 at 08:26:31PM +0100, Martin Lorenz wrote:
<snip>
> stat64("testfile2", 0xbfffd7b0) = -1 ENOENT (No such file or
> directory)
>
> stat64("testfile1", {st_dev=makedev(144, 109), st_ino=37590572,
> st_mode=S_IFREG|S_ISUID|0450, st_nlink=1, st_uid=0, st_gid=0,
> st_blksize=4096, st_blocks=8, st_size=32, st_atime=2010/12/30-20:22:29,
> st_mtime=2010/12/30-20:22:29, st_ctime=2010/12/30-20:22:29}) = 0
>
> stat64("testfile2", 0xbfffd624) = -1 ENOENT (No such file or
> directory)
>
> open("testfile1", O_RDONLY|O_LARGEFILE) = 3
> open("testfile2", O_WRONLY|O_CREAT|O_EXCL|O_LARGEFILE, 0) = 4
>
I see a difference when I run the same commands.
root@/deb40a:~> (
env -i;
date > test1;
strace -v -e trace=file -o /tmp/cp.strace.out cp test1 test2;
cat /tmp/cp.strace.out;
umask; )
This is the strace output minus the environment:
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libacl.so.1", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libattr.so.1", O_RDONLY) = 3
lstat64("test2", 0xbffff790) = -1 ENOENT (No such file or directory)
stat64("test1", {st_dev=makedev(3, 1), st_ino=216364, st_mode=S_IFREG|0600,
st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=2, st_size=21,
st_atime=2010/12/31-09:04:24, st_mtime=2010/12/31-09:04:24,
st_ctime=2010/12/31-09:04:24}) = 0
open("test1", O_RDONLY|O_LARGEFILE) = 3
open("test2", O_WRONLY|O_CREAT|O_LARGEFILE, 0100600) = 4
0077
You may have trimmed the 'access' and 'open' statements from your post
but if you didn't and haven't built a static 'cp' then the version you're
running isn't accessing the libs.
When I run the same commands as user mike I see these diffs:
st_mode=S_IFREG|0644, st_uid=1000, st_gid=1000
open("test2", O_WRONLY|O_CREAT|O_LARGEFILE, 0100644) = 4
and umask is 0033.
The longer you run a cracked system the longer the cracker has to do
something you'll like even less.
If you've room the easiest way I've seen to recover is to re-install on
a newly created partition then compare the new to the old before
incorporating anything from the old into the new and NEVER boot the old
again.
Be sure to harden your system before putting the new one online since
someone already has the keys to your current system.
Use secure passwords, something like 'M05o05m41', your Mom's name
scrambled in with her birthday.
Good luck,
Mike
--
Satisfied user of Linux since 1997.
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20101231173147.ga1...@playground.mcclains.net
