[ale] Weird: Unable to delete or create files in /tmp.. "CannotUnlink"
James P. Kinney III
jkinney at localnetsolutions.com
Fri Nov 8 12:22:09 EST 2002
Odds are, the rm command and /tmp have been "tweaked" to prevent you
from being real root. Cinik is not just the only issue. It flags the box
as "accessible" then a root kit gets installed.
Use a boot floppy (Tom's root/boot) that was NOT built on that machine.
Boot with it and dump the /tmp directory and remake it. There are hidden
files in it (/tmp/.cinik and friends)
Use the rpm command:
rpm -Va to check the status of every installed binary. It will output a
string that if it includes a "5", the binary md5 checksum no longer
matches the installation package. It has been corrupted.
And if you happen to catch a cracker, cut off their fingers.
On Fri, 2002-11-08 at 00:08, F. Grant Robertson wrote:
> I'm generally not a person who asks questions, prefering to do the
> digging myself but, I've dug till I'm blue in the face with no luck.
>
> I have a mandrake 8.1 machine (ext2, 2.4.3-20mdk) that I am unable to
> delete files in /tmp from. I cannot create a new file, delete existing
> files, or modify existing files. This, as you may well imagine, is
> causing significant problems with anything that needs to work from /tmp
> (can't lock mailboxes, pop can't lock, php can't handle uploaded files,
> and anything else you can think of that would need to write to temp)
>
> Any help would be greatly appreciated.
>
> -g
>
> p.s. I've included some sample errors and such below to help anyone who
> wants to get into detail about it.
>
> drwxrwxrwt 9 root root 4096 Oct 26 11:28 ./
> drwxr-xr-x 22 root root 4096 Nov 8 04:04 ../
>
> [root at hartge /tmp]# ls -al /tmp/session_mm.sem
> -rwxrwxrwx 1 apache apache 0 Oct 6 17:56
> /tmp/session_mm.sem*
>
> [root at hartge /tmp]# rm /tmp/session_mm.sem -f
> rm: cannot unlink `/tmp/session_mm.sem': Permission denied
>
> Notes: I can change permissions and ownership to anything root:root,
> rwxrwxrwx, nobody:nobody rwxrwxrwx and I always receive the same error
> message.
>
> * Problem started as a result of a cinik.worm attack, has been
> (reasonably) cleaned, rebooted, and just to make sure it wasn't a result
> of utilities that had been root kitted, I compiled and installed
> busybox. I get the same errors with it as I do with the currently
> installed "rm"
>
>
>
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.
--
James P. Kinney III \Changing the mobile computing world/
President and CEO \ one Linux user /
Local Net Solutions,LLC \ at a time. /
770-493-8244 \.___________________________./
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
This is a digitally signed message part
More information about the Ale
mailing list