Hmmmm...
The lsattr and chattr progs are part of the e2fsprogs RPM. Did you
purposely not install e2fsprogs? If you did and it is missing now, then
maybe more is hacked than you think. Do a
rpm -qa | grep e3fsprogs
and see if that RPM disto is installed. If it has been, then someone may
have renamed/removed them. Mine are in /usr/bin.
As someone else noted, if you've been hacked, the most secure (and probably
the easiest) is to backup all data and flatten the box and patch it before
it has Internet access. I had to recover a hacked box once without being
able to flatten and reinstall but I always let everyone on the sysadmin
level know that this box couldn't be trusted....
Mike
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Mike Vanecek
Sent: Sunday, February 23, 2003 6:47 PM
To: [EMAIL PROTECTED]
Subject: Re: ftp incoming hacked
On Sun, 23 Feb 2003 10:34:27 -0600, Bret Hughes wrote
> On Sun, 2003-02-23 at 09:38, Mike Vanecek wrote:
> > Someone has ftp'd a file to my incoming folder with the name:
> >
> > !! Just a Comment that you may want to READ.txt
> >
> > The file permissions were set as rw r r which obviously is not a good
thing.
> > Further, I am unable to less it or delete it. I did change the
permissions to
> > 000 by chmod 000 *.
> >
> > This is RH 7.1 running proftpd-xinetd, proftpd-1.2.2-3.5.swsoft.
> >
> > How to I get rid of the offending message?
> >
> > How do I prevent it from happening again?
> >
> > Thanks, Mike.
> >
>
> as for the file, look at the extended attributes with lsattr I is
> probably set with the i ( immutable) flag
lsattr is not installed on my system.
An ls of the directory:
[EMAIL PROTECTED] incoming]# d
total 5.0k
drwxrwx-wT 2 ftp ftp 1.0k Feb 22 18:55 ./
drwxr-xr-x 4 ftp ftp 1.0k Jan 7 21:52 ../
-rw-r--r-- 1 ftp ftp 1.2k Feb 22 18:55 !! Just a Comment
that
you may want to READ.txt
-rw-r--r-- 1 root root 89 Jan 7 21:54 .message
The long file name with !! has prevented me from doing anything with it
except
via a wildcard *.
> chattr -whateverflag flag should remove whatever it is set to.
chattr not installed on my system either. If it was, I do not know the
syntax
to override the long name with !! at the beginning.
> As to the how, you have been hacked. There are lots of threads in this
> list on what to do. to secure your box.
>
> See the archives at
>
> http://marc.theaimsgroup.com/?l=redhat-list
Searched and found nothing relating to this problem.
Also looked at the proftpd home page with no results.
The file contains:
[quote]
I get lots of uploads and I always appreciate it so please don't think I'm
complaining but,
I have an index file in this dir, it can also be found at:
www.ae.utexas.edu/~johnv/mp3
Please make use of this, load it, hit ctrl+f and search for what you're
looking for, it's much quicker for you.
So, if you're going to upload check that first to see if I've already got
whatever you were planning to upload.
Searching the index is by far the fastest way to find things. I spend a
considerable amount of time trying to share music and making it easy for
everyone, so good uploads are appreciated.
Also, I normally leave unfinished albums in the uploads dir for a while in
hopes that you will return to finish the upload. Unfinished uploads are a
waste of your time and mine, please try to avoid it.
Finally, I do give out accounts to random people....
best way to get my attention is offer me an account on your FTP
server....
don't have one, well download the File List Creator in the login dir
and make an index
If you contact me, you'll get much better response if there's an
e-mail with an index attached to it.
Oh yeah, I really wouldn't recommend downloading from the uploads dir...
most
of what's in here is
incomplete. This is just my opinion however.
[/quote off]
My transfer log shows:
Sat Feb 22 18:55:42 2003 0 pc-80-193-233-222-en.blueyonder.co.uk 1269
/var/ftp/incoming/!!_Just_a_Comment_that_you_may_want_to_READ.txt a _ i a
[EMAIL PROTECTED] ftp 0 * c
Can anyone give me a bit more to go with?
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
