[ale] file perms

Bob Toxen transam at VerySecureLinux.com
Fri Apr 11 00:37:28 EDT 2008 

As Chris hinted at, assuming that the file system is mounted R/W and
not R/O, it is likely that a hacker has set the immutable bit.  Assuming
the file is named /foo/bar, first do:

     lsattr /foo/bar

If you see anything other than dashes before the name, especially,

     ----i--------- /foo/bar

Then the immutable bit has been set.  This bit prevents any of the
normal operations that alter the file or its i-node data from happening,
even for root.

Issue the command:

     chattr -i /foo/bar

and

     lsattr /foo/bar

and expect to see

     -------------- /foo/bar

At that point you should be able to do a chmod on the file.  Assuming it
wasn't another SysAdmin playing a joke on you, you have been hacked so
the real work begins.  Don't just reboot or throw away current data and
just restore from a backup.

Proper recovery is covered starting at page 667 of Real World Linux
Security, Second Edition.

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality spam and virus filters.
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002

On Thu, Apr 10, 2008 at 05:18:18PM +0000, cdcoleman at bellsouth.net wrote:
>   -------------- Original message from "Jim Kinney" <jim.kinney at gmail.com>: --------------

> I have a file that appears to be chmod'ed 000 , yes no read, write or execute for any one. As root, I can't chmod it. I am puzzled and a tad concerned.

> Thoughts?
> -- 
> -- 
> James P. Kinney III 
>   Try lsattr file_name to see if the immutable(i) attribute was added. If so, try as root, chattr -i file_name to remove it.

> root at test15 ~]# chattr +i cd_load.log 
> [root at test15 ~]# lsattr cd_load.log 
> ----i-------- cd_load.log
> [root at test15 ~]# chmod 755 cd_load.log 
> chmod: changing permissions of `cd_load.log': Operation not permitted

> Chris Coleman

More information about the Ale mailing list