Given my current network configuration, I highly doubt I have been hacked. Anything is possible. Is there any other explanation? I have FBSD 4.4 release. I am root. You are telling me the immutable bit does not become set as a result of a typical install?
Eric Quoting Petrus Repo <[EMAIL PROTECTED]>: > > Hi. > > If you cannot remove the SUID-bit even though you are root, you might > already be hacked (if you haven't set any protection yourself). Try > issuing "lsattr /usr/bin/rsh". If you see an "i" between the "-" > marks, > then there is an immutable flag set to that file. This means that the > file is protected and you cannot touch it unless you unset the flag by > issuing "chattr -i <file>". > > If there was an immutable flag that you haven't set, I strongly > recommend > that you reinstall your system (and then reconfigure it secure:) since > you > really cannot how the intruders have backdoored your machine. > > > Regards, > > - Petrus > > On Mon, 3 Jun 2002, Eric wrote: > > > I am trying to delimit the number of programs that have SUID > permission. > > Following a friendly recommendation, I found the programs that have > SUID by: > > > > find / -type f -perm -u+s -or -perm -g+s > > > > > > I attempted to change SUID on some of the results, again following a > suggestion: > > > > chmod -s file > > > > However, this command works sometimes, and sometimes only results in > > > a "permission denied, operation not permitted" message. For > > instance, /usr/bin/cu and /usr/bin/rsh resulted in that error message, > > > but /usr/bin/lpr did work. Why the difference? > > > > Thank you, > > > > Eric > > > >
