lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 25 Jul 2011 13:08:06 +0100
From:	Luke Kenneth Casson Leighton <lkcl@...l.net>
To:	linux-kernel@...r.kernel.org
Subject: ext3 hacked filesystem (by debian exim4 exploit) available for
 analysis and bugreporting

folks, hi,

i appreciate this was some time ago, but i encountered a quite serious
issue with an ext3 filesystem that had been hacked, and a rootkit
installed.  this was with a 2.6.26 kernel.  the issue encountered was
that the little fuckers directly modified the ext3 filesystem so that
some files they had created could *not* be deleted.  when i say "could
not be deleted" i mean "absolutely could not be deleted".  also, fsck
did *not* report any "problems".

and yes, please do give me credit for knowing that you should use a
different system (offline) to analyse the [damaged] filesystem :)  as
you can imagine, i was very very surprised to encounter this as an
issue.

first thing: has anyone else encountered this?

second thing: if answer "no" to above, would anyone who can prove
their credentials (public ssh key, public web site, notability blah
blah) like to analyse the 5gb filesystem?  i still have a copy (it's
an LVM2 partition on a Xen hosted server).

apart from anything, this really really should go into rkhunter /
chkrootkit, but it requires someone with expertise to actually analyse
what the bloody hell happened.  apart from anything, files which
cannot be deleted (and cannot be detected as "corrupted" by fsck.ext3)
is pretty damn serious.

l.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ