> Finding out what else has been done is not exactly a trivial task. If
> whoever did this isn't totally braindead, he edited .history and logfiles
> to hide traces. (But then it seems to be someone stupid because he didn't
> remove the ADMROCKS file).
I was very lucky to have noticed that folder... I'm in the process of
learning about things like Tripwire to help me keep track of changes.
Through this process, a few things have come to mind. Is there someplace
I could have gone to do a search on ADMROCKS to discover this hack? Also,
does RedHat have a mailing list that announces when updates are released
to fix problems like this?
> rpm --verify can help you find modified files, and a find / -perm 4755
> will find added setuid bits, but that's still not everything someone could
> have done.
Oh boy... 'find / -perm 4755' is something new. I just did a check on that
and found a lot of stuff...
/usr/bin/at
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/rcp
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/crontab
/usr/bin/vboxbeep
/usr/sbin/usernetctl
/usr/sbin/traceroute
/usr/sbin/userhelper
/bin/su
/bin/mount
/bin/umount
/bin/ping
Are all of these programs ok to be set with this permission and owned by
root, group root?
> Unless you absolutely know how to deal with this, backing up your data and
> reinstalling is probably the best thing to do.
I'm definitely planning on doing that. I'm learning a lot in the process.
This is also good because my server is co-located somewhere and it will be a
few days before I can get to it so I'm trying to patch things until I can
fix it.
-Ed
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.