Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   SOLVED: permissions all zero when using 'cp' (http://www.linux-archive.org/debian-user/472944-solved-permissions-all-zero-when-using-cp.html)

Martin Lorenz 01-05-2011 07:50 AM
SOLVED: permissions all zero when using 'cp'
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks to all, who helped

it definitely was a rootkit.
came in by this exim bug:

- -
http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=exim4+root

- - http://www.exim.org/lurker/message/20101210.164935.385e04d0.en.html
- - http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html
- -
http://www.h-online.com/open/news/item/Possible-root-vulnerability-in-Exim-internet-mailer-Update-1150631.html

- - http://blog.steve.org.uk/the_remote_root_hole_in_exim4_is_painful.html
- - http://www.exploit-db.com/exploits/15725/
- - http://www.gossamer-threads.com/lists/exim/dev/89477

reinstalled an had a painful night seting up all services again

Am 01.01.2011 21:09, schrieb Chris Davies:
> Martin Lorenz <martin@lorenz.priv.at> wrote:
>> i recently noticed some errors at my mail-server and so I tried to drill
>> it down with my limited abilities.
>
>> what I found is really strange:
>> when copying a file (no matter which) the copy gets zero permissions.
>
> Silly question time, because I've encountered this kind of problem myself,
> once before...
>
> Is your filesystem remotely mounted from another server?
> Chris
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNJDDRAAoJECZ8myNlGwU1B/kH/1Rwlpl7GEzo5X7yzBjgKkcp
NNezyv1X9+ncsqWOxrXstHH26ta9Ajht4KUm+MtmFMY90b0d7N pPMK7d0sEfx16M
VxmdUnR7e8qH1R0aBOqcSlXM3GwAdCDL+LbL6FQ3nAqyX84ln4 VFr2hQwej25eTQ
J+dEvLKiKY3YRM84VN+uuqIy0RQcXSBFm7FWpj1/F2AOa0fzaT9vF4N72imGbJOA
y6fMtWV1hnUjGWVRTNUKTvEdrJhO82GSHgCuJ0uYBnSUCvSBVL fsjmeQ/vD62v+Y
uc4qsRoI12Q0o4ro0y7147ckf7JsfSC5hi3qee5ZxAx+K0ONBD 09gQUKi0WWcBc=
=S+XN
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D2430DB.4000802@lorenz.priv.at">http://lists.debian.org/4D2430DB.4000802@lorenz.priv.at

Jochen Schulz 01-06-2011 01:48 PM
SOLVED: permissions all zero when using 'cp'
 
Martin Lorenz:
>
> Thanks to all, who helped
>
> it definitely was a rootkit.
> came in by this exim bug:

Just out of curiosity: do you know when the attacker succeeded? The DSA
was published Dec 10th. Did you have a (theoretical) chance to install
the patch beofre the attack?

J.
--
I am on the payroll of a company to whom I owe my undying gratitude.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>

Doug 01-06-2011 07:47 PM
SOLVED: permissions all zero when using 'cp'
 
On 01/06/2011 09:48 AM, Jochen Schulz wrote:

Martin Lorenz:

Thanks to all, who helped

it definitely was a rootkit.
came in by this exim bug:

Just out of curiosity: do you know when the attacker succeeded? The DSA
was published Dec 10th. Did you have a (theoretical) chance to install
the patch beofre the attack?

J.

I wish you would elaborate. What is a DSA, and what is the patch to which
you refer? (DSA: Denial of Service Attack?) I assume the patch is something
that repels rootkit attacks. Is the patch applicable to all Linux
distros? Is it

likely to appear in the repo? Would my distro most likely include it in the
usual upgrades I do every few days?

--doug

--
Blessed are the peacemakers...for they shall be shot at from both sides. --A. M. Greeley


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4D262A63.6060700@optonline.net">http://lists.debian.org/4D262A63.6060700@optonline.net

Bob Proulx 01-06-2011 07:56 PM
SOLVED: permissions all zero when using 'cp'
 
Doug wrote:
> Jochen Schulz wrote:
> >Martin Lorenz:
> > > Thanks to all, who helped
> > >
> > > it definitely was a rootkit. came in by this exim bug:
> >
> > Just out of curiosity: do you know when the attacker succeeded? The DSA
> > was published Dec 10th. Did you have a (theoretical) chance to install
> > the patch beofre the attack?
>
> I wish you would elaborate. What is a DSA, and what is the patch to which
> you refer? (DSA: Denial of Service Attack?)

DSA is Debian Security Advisories. Each one is numbered for later
reference. You can read about them here.

http://www.debian.org/security/

I recommend subscribing to the debian-security-announce mailing list.
Then you will get notice of each advisory as it is posted. It is a
low volume list for announcements only.

> I assume the patch is something that repels rootkit attacks. Is the
> patch applicable to all Linux distros? Is it likely to appear in
> the repo? Would my distro most likely include it in the usual
> upgrades I do every few days?

If you haven't already done so you should also make sure that you have
the security repository included in your APT sources.list file.

deb http://security.debian.org/ lenny/updates main contrib non-free

Replace "lenny" in the above with the name of your current release.

The exim4 advisory is this one:

http://www.debian.org/security/2010/dsa-2131

I install all security upgrades as quickly as possible on all of my
machines.

Bob


All times are GMT. The time now is 09:07 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.