chmod 666 ///

Bruce Hyatt brucejhyatt at yahoo.com
Sat Apr 12 01:13:25 UTC 2008


--- Harald Hoyer <harald at redhat.com> wrote:

> Bruce Hyatt wrote:
> >>> I carelessly executed "chmod 666 ///" from a terminal as
> su 
> >>> in a user account.

<snip>

> 
> Here is a fixed version taken from
> /usr/lib/rpm/rpmpopt-4.4.2.2:
> 
> # rpm  -qa --qf '[\[ -L %{FILENAMES:shescape} \] || chmod
> %7.7{FILEMODES:octal} %{FILENAMES:shescape}\n]' 
> |grep -v \(none\) | grep '^. -L ' | sed 's/chmod .../chmod /'
> | tee /dev/tty | sh

I executed this command and it seemed to run without a problem.
It didn't fix my problem though. I still can't startx and when I
try to log into my account it says "No directory /home/me" but
it _IS_ there with rwx permissions for owner.

I plan to re-install but after seeing the thread on compromised
systems I started to wonder. I ran nmap:

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
443/tcp open  https
515/tcp open  printer

I have (had) a web server running
I tried setting up ssh once and I believe it was set up to use
keys (SSH2).

I ran rpm -Va:

.M......    /dev/shm
......G.    /dev/tty0
.M....G.    /dev/tty2
.M....G.    /dev/tty3
.M....G.    /dev/tty4
.M....G.    /dev/tty5
.M....G.    /dev/tty6
......G.    /dev/tty7
S.5....T  c /etc/openldap/ldap.conf
S.5....T  c /etc/pam_smb.conf
.......T  c /etc/mail/sendmail.cf
S.5....T  c /var/log/mail/statistics
S.5....T  c /etc/ntp.conf
S.5....T  c /etc/hotplug/usb.usermap
S.5....T  c /etc/krb.conf
S.5....T  c /etc/yum.conf
.......T  c /etc/inittab
S.5....T  c /etc/rc.d/rc.local
..5....T  c /etc/sysctl.conf
.......T  c /var/lib/nfs/etab
.......T  c /var/lib/nfs/xtab
S.5....T  c /etc/ntp/ntpservers
S.5....T  c /etc/php.ini
S.5....T  c /etc/sysconfig/rhn/up2date
S.5....T  c /etc/sysconfig/rhn/up2date-uuid
.......T    /usr/lib/security/classpath.security
.......T    /usr/lib/security/libgcj.security
S.5....T  c /etc/alchemist/namespace/printconf/local.adl
S.5....T  c /etc/sysconfig/system-config-securitylevel
.......T    /usr/bin/addr2name.awk
S.5....T  c /etc/httpd/conf/httpd.conf
S.5....T  c /etc/pam.d/system-auth
.......T  c /etc/yp.conf
S.?.....    /usr/lib/libao.so.2.1.2
S.?.....    /usr/lib/libgtkspell.so.0.0.0
S.5....T  c /etc/sysconfig/pcmcia
missing    /usr/java/jre1.5.0_12/lib/charsets.pack
missing    /usr/java/jre1.5.0_12/lib/deploy.pack
missing    /usr/java/jre1.5.0_12/lib/ext/localedata.pack
missing    /usr/java/jre1.5.0_12/lib/javaws.pack
missing    /usr/java/jre1.5.0_12/lib/jsse.pack
missing    /usr/java/jre1.5.0_12/lib/plugin.pack
missing    /usr/java/jre1.5.0_12/lib/rt.pack
..5....T  c /etc/aliases
S.5....T  c /etc/printcap
S.5....T  c /etc/profile
S.5....T  c /usr/share/a2ps/afm/fonts.map
S.5.....  c /etc/rndc.key
S.5....T  c /etc/sysconfig/named
S.5....T  c /etc/sysconfig/rhn/rhn-applet
S.5....T    /usr/share/rhn/rhn_applet/rhn_applet.pyc
S.5....T    /usr/share/rhn/rhn_applet/rhn_applet_animation.pyc
S.5....T    /usr/share/rhn/rhn_applet/rhn_applet_apt.pyc
S.5....T    /usr/share/rhn/rhn_applet/rhn_applet_dialogs.pyc
S.5....T    /usr/share/rhn/rhn_applet/rhn_applet_model.pyc
S.5....T    /usr/share/rhn/rhn_applet/rhn_applet_protocols.pyc
S.5....T    /usr/share/rhn/rhn_applet/rhn_applet_rpc.pyc
S.5....T    /usr/share/rhn/rhn_applet/rhn_applet_rpm.pyc
S.5....T    /usr/share/rhn/rhn_applet/rhn_applet_version.pyc
S.5....T    /usr/share/rhn/rhn_applet/rhn_applet_yum.pyc
S.5....T    /usr/share/rhn/rhn_applet/rhn_sources.pyc
S.5....T    /usr/share/rhn/rhn_applet/rhn_utils.pyc
S.5....T  c /etc/ppp/chap-secrets
S.5....T  c /etc/ppp/pap-secrets
.M......    /etc/cups
S.5....T  c /etc/cups/cupsd.conf
S.5....T  c /etc/cups/printers.conf
S.5....T  c /etc/xinetd.d/cups-lpd
.M......    /var/spool/cups/tmp
..5....T  c /etc/sysconfig/system-config-users
.......T    /usr/share/system-config-users/groupProperties.pyc
.......T    /usr/share/system-config-users/groupWindow.pyc
.......T    /usr/share/system-config-users/mainWindow.pyc
.......T    /usr/share/system-config-users/messageDialog.pyc
missing    /usr/share/system-config-users/selinux.pyc
missing   
/usr/share/system-config-users/system-config-users.pyc
.......T    /usr/share/system-config-users/userGroupCheck.pyc
.......T    /usr/share/system-config-users/userProperties.pyc
.......T    /usr/share/system-config-users/userWindow.pyc
S.5....T  c /etc/mailcap
S.5....T  c /etc/mime.types
S.5....T  c /etc/ldap.conf
S.5....T    /usr/share/system-config-bind/ConfNamed.pyc
S.5....T    /usr/share/system-config-bind/FwdZone.pyc
S.5....T    /usr/share/system-config-bind/Zone.pyc
S.5....T  c /etc/xml/catalog
S.5....T  c /usr/share/sgml/docbook/xmlcatalog
S.5....T  c /etc/samba/smb.conf

Many lines appear to suggest it's compromised but why would they
attack the RHN and other Python compiler scripts. Could this be
related to having changed file permissions?

I tried to run chkrootkit but I couldn't find it though I think
it's installed somewhere.

Does it look to YOU like someone's hijacked my system beyond
repair with a reinstall?

Thanks and sorry for the length (of the email).

Bruce

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 




More information about the users mailing list