[PLUG] Hacked? More info

Phil Tomson ptkwt at aracnet.com
Tue Dec 17 01:54:32 UTC 2002


On Mon, 16 Dec 2002, Mark Martin wrote:

> Only root can set this attribute using the chattr command.  See the man page
> for details.  Maybe your box was cracked after all, unless you can imagine a
> context where you or some other authorized user might have accidentally set
> it.
>

Yup, I did: chattr -i /tmp
And that did the trick.  And yes, /var/tmp was also set with the i
attribute and that does seem rather malicious.

But then.... after kdm started I notice that there is a new user listed on
the login screen.  The name of the new user is WiNAta - very bizarre!

Phil





More information about the PLUG mailing list