[TriLUG] Odd

[Brian McCullough]

On Fri, Aug 05, 2005 at 03:33:25PM -0400, Michael Alan Dorman wrote:
> 
> Try using lsattr to look at the attributes of the file---if a file is
> marked i (for immutable), then chattr -i install-info will make it
> read/write, but I'll go ahead and mention that the only time I've ever
> seen a file or bits of files go suddenly immutable was when a box I
> had once administered was hacked.


Bingo!  Chkrootkit says that I have Suckit.

OK, now what?  I gather that I will need to compile a new kernel, change
the immutable bit in /usr/sbin/*, replace ps, top, ls, init, netstat.
Anything else?  Any suggestions for plugging the hole after the horse
has bolted?

On a network that has apparently no holes except ssh and mail ( but not
betting on it ) was this penetration definitely from inside, or could it
have come in from outside?


Brian