cannot remove files from /tmp
James Wilkinson
fedora at aprilcottage.co.uk
Tue Jan 9 08:42:19 UTC 2007
Steve Siegfried wrote:
> As an aside: 99.99% of Linux programs don't mess with file attribute bits.
> The only time I've seen these attributes modified in
> a non-orange-book-secure (i.e.: SELinux) environment
> was done as part of a script-kiddie break-in/root-hack.
> Because of this, I'm gonna ask: are you sure you're not
> being hacked even as you try and resolve this? Suggest at a
> minimum, you pick up a copy of chkrootkit available through
> http://www.chkrootkit.org and run it.
Firstly, chkrootkit is in extras, although it's more trustworthy if you
run it from "known good" media (e.g. a CD). (It is possible for a
rootkit to modify the kernel so that everything looks good to
user-space).
Secondly, Rolf's problems could also come from a corrupted filesystem. I'd
recommend booting from a rescue CD, *not* mounting any filesystems, and
fscking the filesystem in question.
Lastly, although 99.9% of Linux *programs* don't mess with file
attribute bits, it's a lot more common at the distribution level (and I
seem to remember stuff like Bastille does it too)[1]. But the set of
attributes that have been set doesn't look right for that.
Hope this helps,
James.
[1] For example, setting immutable bits on key system binaries to make
rootkits' lives that much harder.
--
E-mail: james@ | I'll be more enthusiastic about encouraging thinking
aprilcottage.co.uk | outside the box when there's evidence of any thinking
| going on inside it.
| -- Terry Pratchett
More information about the users
mailing list