Very Computer

> How can I remove this file??

> :The script file sshd in /etc/rc.d/init.d has somehow gotten
> :corrupted. It shows a group of root and a owner of lp and a
> :mod of 700.

> :How can I remove this file??

>   I don't like just rm'ing init rc's.  You can't go back.
> I would advise an /etc/ dir tree for temp storage and mv
> the rc script.
>     mkdir /etc/was.init.d
>     cd /etc/rc.d/init.d
>     mv <filename> /etc/was.init.d/

> Also, the sticky bit may be set on the file perms.
> as root: chmod 0700 <filename>

> :The script file sshd in /etc/rc.d/init.d has somehow gotten
> :corrupted. It shows a group of root and a owner of lp and a
> :mod of 700.

> :How can I remove this file??

>   I don't like just rm'ing init rc's.  You can't go back.
> I would advise an /etc/ dir tree for temp storage and mv
> the rc script.
>     mkdir /etc/was.init.d
>     cd /etc/rc.d/init.d
>     mv <filename> /etc/was.init.d/

> Also, the sticky bit may be set on the file perms.
> as root: chmod 0700 <filename>

> I have posted several posts on ssh. The level may be
> backleveled. I am trying to upgrade uning rpm.

> The script file sshd in /etc/rc.d/init.d has somehow gotten
> corrupted. It shows a group of root and a owner of lp and a
> mod of 700.

> rpm attempts to update this file and gets permission denyed
> so I shut sshd down and tried to remove it. That action got
> the same result.

> So I brought the system to init level 1 as root and tried
> changing the mod, the owner, the group all to the same
> error. I even tried moving it.

> How can I remove this file??

> Thanks,
> Dan

> init 1  <-- run into single mode
> mount -oremount,rw /  <-- remount root filesystem read-only

> ]Hi,

> ]hmmm okey.. let see where the problem is.

> ]first see for master sort of priv control

> ]lsattr /etc/rc.d/filename

> ]make sure it doesn't hv any flags. If got remove it. To see if the file
> ]really corrupted or something wrong. do copy out to /tmp and see if its
> ]readable. If nope u got a serious problem. Do this.

> ]init 1  <-- run into single mode
> ]mount -oremount,rw /  <-- remount root filesystem read-only
> ]e2fsck -f /dev/"root disk"  <-- run check disk

> ]if the problem resist then u going to hv allot of fun. learn to use
> ]"debugfs" but do take extra care when use this command. Check also
> ]/lost+found, if got lots of file inside .. signal is that filesystem or
> ]hard disk isn't stable.

> ]On Tue, 28 May 2002 23:37:35 GMT

> ]> I have posted several posts on ssh. The level may be
> ]> backleveled. I am trying to upgrade uning rpm.
> ]>
> ]> The script file sshd in /etc/rc.d/init.d has somehow gotten
> ]> corrupted. It shows a group of root and a owner of lp and a
> ]> mod of 700.
> ]>
> ]> rpm attempts to update this file and gets permission denyed
> ]> so I shut sshd down and tried to remove it. That action got
> ]> the same result.
> ]>
> ]> So I brought the system to init level 1 as root and tried
> ]> changing the mod, the owner, the group all to the same
> ]> error. I even tried moving it.
> ]>
> ]> How can I remove this file??

> This almost always means that you have been rooted, as they say-- ie
> someone has cracked your machine, and has installed their own version of
> various programs. They have used chattr to change the attributes of the
> files so you cannot (easily) remove them.
> To remove the file, you can do
> chattr -i name.of.the.file
> (i stands for immutable)
> However, I would not do that-- I would look for other evidence of being
> cracked.

> rpm -Va |grep '..5'>/tmp/verify
> and look through /tmp/verify for files which have been changed. Some
> should have been (/etc/passwd, etc) but some should not (ssh,
> ps,ls,find,...) If you find evidence of the latter, you have definitely
> been broken into. You must reinstall.

> It is possible that the rpm database has been comprimised, or that the
> rpm program itself has been altered to hide their depredations.
> Copy a copy of rpm from a place you know to be valid.
> ince reinstalling is a pain, which if it is not necessary may be worse
> than the disease,  so it is worthwhile trying to get a valid version of
> rpm if you suspect that it has been comprimised.

> > init 1  <-- run into single mode
> > mount -oremount,rw /  <-- remount root filesystem read-only
>                   ^^
> > e2fsck -f /dev/"root disk"  <-- run check disk

> The option "rw" is read-only???
> And you forgot a space.

> ]Hi,

> ]hmmm okey.. let see where the problem is.

> ]first see for master sort of priv control

> ]lsattr /etc/rc.d/filename

> ]make sure it doesn't hv any flags. If got remove it. To see if the
> file]really corrupted or something wrong. do copy out to /tmp and see
> if its]readable. If nope u got a serious problem. Do this.

> ]init 1  <-- run into single mode
> ]mount -oremount,rw /  <-- remount root filesystem read-only
> ]e2fsck -f /dev/"root disk"  <-- run check disk

> ]if the problem resist then u going to hv allot of fun. learn to use
> ]"debugfs" but do take extra care when use this command. Check also
> ]/lost+found, if got lots of file inside .. signal is that filesystem
> or]hard disk isn't stable.

> ]On Tue, 28 May 2002 23:37:35 GMT

> ]> I have posted several posts on ssh. The level may be
> ]> backleveled. I am trying to upgrade uning rpm.
> ]>
> ]> The script file sshd in /etc/rc.d/init.d has somehow gotten
> ]> corrupted. It shows a group of root and a owner of lp and a
> ]> mod of 700.
> ]>
> ]> rpm attempts to update this file and gets permission denyed
> ]> so I shut sshd down and tried to remove it. That action got
> ]> the same result.
> ]>
> ]> So I brought the system to init level 1 as root and tried
> ]> changing the mod, the owner, the group all to the same
> ]> error. I even tried moving it.
> ]>
> ]> How can I remove this file??

> This almost always means that you have been rooted, as they say-- ie
> someone has cracked your machine, and has installed their own version
> of various programs. They have used chattr to change the attributes of
> the files so you cannot (easily) remove them.
> To remove the file, you can do
> chattr -i name.of.the.file
> (i stands for immutable)
> However, I would not do that-- I would look for other evidence of
> being cracked.

> rpm -Va |grep '..5'>/tmp/verify
> and look through /tmp/verify for files which have been changed. Some
> should have been (/etc/passwd, etc) but some should not (ssh,
> ps,ls,find,...) If you find evidence of the latter, you have
> definitely been broken into. You must reinstall.

> It is possible that the rpm database has been comprimised, or that the
> rpm program itself has been altered to hide their depredations.
> Copy a copy of rpm from a place you know to be valid.
> ince reinstalling is a pain, which if it is not necessary may be worse
> than the disease,  so it is worthwhile trying to get a valid version
> of rpm if you suspect that it has been comprimised.