[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAPweEDzv+vByC1s2bWRjVQdVLqw4Xf2sUf_CQgVync_YcxtdvQ@mail.gmail.com>
Date: Mon, 25 Jul 2011 13:08:06 +0100
From: Luke Kenneth Casson Leighton <lkcl@...l.net>
To: linux-kernel@...r.kernel.org
Subject: ext3 hacked filesystem (by debian exim4 exploit) available for
analysis and bugreporting
folks, hi,
i appreciate this was some time ago, but i encountered a quite serious
issue with an ext3 filesystem that had been hacked, and a rootkit
installed. this was with a 2.6.26 kernel. the issue encountered was
that the little fuckers directly modified the ext3 filesystem so that
some files they had created could *not* be deleted. when i say "could
not be deleted" i mean "absolutely could not be deleted". also, fsck
did *not* report any "problems".
and yes, please do give me credit for knowing that you should use a
different system (offline) to analyse the [damaged] filesystem :) as
you can imagine, i was very very surprised to encounter this as an
issue.
first thing: has anyone else encountered this?
second thing: if answer "no" to above, would anyone who can prove
their credentials (public ssh key, public web site, notability blah
blah) like to analyse the 5gb filesystem? i still have a copy (it's
an LVM2 partition on a Xen hosted server).
apart from anything, this really really should go into rkhunter /
chkrootkit, but it requires someone with expertise to actually analyse
what the bloody hell happened. apart from anything, files which
cannot be deleted (and cannot be detected as "corrupted" by fsck.ext3)
is pretty damn serious.
l.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists