]hmmm okey.. let see where the problem is.
]first see for master sort of priv control
]make sure it doesn't hv any flags. If got remove it. To see if the file
]really corrupted or something wrong. do copy out to /tmp and see if its
]readable. If nope u got a serious problem. Do this.
]init 1 <-- run into single mode
]mount -oremount,rw / <-- remount root filesystem read-only
]e2fsck -f /dev/"root disk" <-- run check disk
]if the problem resist then u going to hv allot of fun. learn to use
]"debugfs" but do take extra care when use this command. Check also
]/lost+found, if got lots of file inside .. signal is that filesystem or
]hard disk isn't stable.
]On Tue, 28 May 2002 23:37:35 GMT
]> I have posted several posts on ssh. The level may be
]> backleveled. I am trying to upgrade uning rpm.
]> The script file sshd in /etc/rc.d/init.d has somehow gotten
]> corrupted. It shows a group of root and a owner of lp and a
]> mod of 700.
]> rpm attempts to update this file and gets permission denyed
]> so I shut sshd down and tried to remove it. That action got
]> the same result.
]> So I brought the system to init level 1 as root and tried
]> changing the mod, the owner, the group all to the same
]> error. I even tried moving it.
]> How can I remove this file??
This almost always means that you have been rooted, as they say-- ie
someone has cracked your machine, and has installed their own version of
various programs. They have used chattr to change the attributes of the
files so you cannot (easily) remove them.
To remove the file, you can do
chattr -i name.of.the.file
(i stands for immutable)
However, I would not do that-- I would look for other evidence of being
rpm -Va |grep '..5'>/tmp/verify
and look through /tmp/verify for files which have been changed. Some
should have been (/etc/passwd, etc) but some should not (ssh,
ps,ls,find,...) If you find evidence of the latter, you have definitely
been broken into. You must reinstall.
It is possible that the rpm database has been comprimised, or that the
rpm program itself has been altered to hide their depredations.
Copy a copy of rpm from a place you know to be valid.
ince reinstalling is a pain, which if it is not necessary may be worse
than the disease, so it is worthwhile trying to get a valid version of
rpm if you suspect that it has been comprimised.