[ale] Weird: Unable to delete or create files in /tmp.. "CannotUnlink"

James P. Kinney III jkinney at localnetsolutions.com
Fri Nov 8 12:22:09 EST 2002 

Odds are, the rm command and /tmp have been "tweaked" to prevent you
from being real root. Cinik is not just the only issue. It flags the box
as "accessible" then a root kit gets installed.

Use a boot floppy (Tom's root/boot) that was NOT built on that machine.
Boot with it and dump the /tmp directory and remake it. There are hidden
files in it (/tmp/.cinik and friends)

Use the rpm command:

rpm -Va to check the status of every installed binary. It will output a
string that if it includes a "5", the binary md5 checksum no longer
matches the installation package. It has been corrupted.

And if you happen to catch a cracker, cut off their fingers.

On Fri, 2002-11-08 at 00:08, F. Grant Robertson wrote:
> I'm generally not a person who asks questions, prefering to do the
> digging myself but, I've dug till I'm blue in the face with no luck.  
> 
> I have a mandrake 8.1 machine (ext2, 2.4.3-20mdk) that I am unable to
> delete files in /tmp from. I cannot create a new file, delete existing
> files, or modify existing files. This, as you may well imagine, is
> causing significant problems with anything that needs to work from /tmp
> (can't lock mailboxes, pop can't lock, php can't handle uploaded files,
> and anything else you can think of that would need to write to temp)
> 
> Any help would be greatly appreciated.
> 
> -g
> 
> p.s. I've included some sample errors and such below to help anyone who
> wants to get into detail about it. 
> 
>  drwxrwxrwt    9 root     root         4096 Oct 26 11:28 ./
> drwxr-xr-x   22 root     root         4096 Nov  8 04:04 ../
> 
> [root at hartge /tmp]# ls -al /tmp/session_mm.sem 
> -rwxrwxrwx    1 apache   apache          0 Oct  6 17:56
> /tmp/session_mm.sem*
> 
> [root at hartge /tmp]# rm /tmp/session_mm.sem -f
> rm: cannot unlink `/tmp/session_mm.sem': Permission denied
> 
> Notes: I can change permissions and ownership to anything root:root,
> rwxrwxrwx, nobody:nobody rwxrwxrwx and I always receive the same error
> message. 
> 
> * Problem started as a result of a cinik.worm attack, has been
> (reasonably) cleaned, rebooted, and just to make sure it wasn't a result
> of utilities that had been root kitted, I compiled and installed
> busybox. I get the same errors with it as I do with the currently
> installed "rm"
> 
> 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 



 This is a digitally signed message part

More information about the Ale mailing list