Hmmmm... The lsattr and chattr progs are part of the e2fsprogs RPM. Did you purposely not install e2fsprogs? If you did and it is missing now, then maybe more is hacked than you think. Do a rpm -qa | grep e3fsprogs and see if that RPM disto is installed. If it has been, then someone may have renamed/removed them. Mine are in /usr/bin.
As someone else noted, if you've been hacked, the most secure (and probably the easiest) is to backup all data and flatten the box and patch it before it has Internet access. I had to recover a hacked box once without being able to flatten and reinstall but I always let everyone on the sysadmin level know that this box couldn't be trusted.... Mike -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Vanecek Sent: Sunday, February 23, 2003 6:47 PM To: [EMAIL PROTECTED] Subject: Re: ftp incoming hacked On Sun, 23 Feb 2003 10:34:27 -0600, Bret Hughes wrote > On Sun, 2003-02-23 at 09:38, Mike Vanecek wrote: > > Someone has ftp'd a file to my incoming folder with the name: > > > > !! Just a Comment that you may want to READ.txt > > > > The file permissions were set as rw r r which obviously is not a good thing. > > Further, I am unable to less it or delete it. I did change the permissions to > > 000 by chmod 000 *. > > > > This is RH 7.1 running proftpd-xinetd, proftpd-1.2.2-3.5.swsoft. > > > > How to I get rid of the offending message? > > > > How do I prevent it from happening again? > > > > Thanks, Mike. > > > > as for the file, look at the extended attributes with lsattr I is > probably set with the i ( immutable) flag lsattr is not installed on my system. An ls of the directory: [EMAIL PROTECTED] incoming]# d total 5.0k drwxrwx-wT 2 ftp ftp 1.0k Feb 22 18:55 ./ drwxr-xr-x 4 ftp ftp 1.0k Jan 7 21:52 ../ -rw-r--r-- 1 ftp ftp 1.2k Feb 22 18:55 !! Just a Comment that you may want to READ.txt -rw-r--r-- 1 root root 89 Jan 7 21:54 .message The long file name with !! has prevented me from doing anything with it except via a wildcard *. > chattr -whateverflag flag should remove whatever it is set to. chattr not installed on my system either. If it was, I do not know the syntax to override the long name with !! at the beginning. > As to the how, you have been hacked. There are lots of threads in this > list on what to do. to secure your box. > > See the archives at > > http://marc.theaimsgroup.com/?l=redhat-list Searched and found nothing relating to this problem. Also looked at the proftpd home page with no results. The file contains: [quote] I get lots of uploads and I always appreciate it so please don't think I'm complaining but, I have an index file in this dir, it can also be found at: www.ae.utexas.edu/~johnv/mp3 Please make use of this, load it, hit ctrl+f and search for what you're looking for, it's much quicker for you. So, if you're going to upload check that first to see if I've already got whatever you were planning to upload. Searching the index is by far the fastest way to find things. I spend a considerable amount of time trying to share music and making it easy for everyone, so good uploads are appreciated. Also, I normally leave unfinished albums in the uploads dir for a while in hopes that you will return to finish the upload. Unfinished uploads are a waste of your time and mine, please try to avoid it. Finally, I do give out accounts to random people.... best way to get my attention is offer me an account on your FTP server.... don't have one, well download the File List Creator in the login dir and make an index If you contact me, you'll get much better response if there's an e-mail with an index attached to it. Oh yeah, I really wouldn't recommend downloading from the uploads dir... most of what's in here is incomplete. This is just my opinion however. [/quote off] My transfer log shows: Sat Feb 22 18:55:42 2003 0 pc-80-193-233-222-en.blueyonder.co.uk 1269 /var/ftp/incoming/!!_Just_a_Comment_that_you_may_want_to_READ.txt a _ i a [EMAIL PROTECTED] ftp 0 * c Can anyone give me a bit more to go with? -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list