[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re[2]: [cobalt-security] amd root?
- Subject: Re: Re[2]: [cobalt-security] amd root?
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Thu, 7 Feb 2002 22:13:29 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Eugene,
> If you are using vi(m), save with ":w!" command, with exclamation mark.
> Vi tries to be "friendly" and stops you if it *thinks* that you cannot
> write to the file rather than when attempt to write in fact fails.
I used vi, pico and midnight commander. I even tried to copy, move and to
echo into the file. To no avail. User "root" didn't have the permission to
modify /etc/shadow on that system.
Comparance of /proc/ksyms with a reference system did suggest that a
malicious kernel module had been inserted, responsible for that hickup.
Apparently the insertion of this module was done before /etc/rc.d/rc.sysinit
was completly executed upon server startup and the file had not been
modified. At that point I aborted my audit and suggested an OS restore. Now I
wish I had at least taken the bandwith-monitoring module apart, as it seems
to have been replaced with the malicious LKM. Nothing else would make sense.
:o/
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer