[PLUG] Hacked? More info
Phil Tomson
ptkwt at aracnet.com
Tue Dec 17 01:54:32 UTC 2002
On Mon, 16 Dec 2002, Mark Martin wrote:
> Only root can set this attribute using the chattr command. See the man page
> for details. Maybe your box was cracked after all, unless you can imagine a
> context where you or some other authorized user might have accidentally set
> it.
>
Yup, I did: chattr -i /tmp
And that did the trick. And yes, /var/tmp was also set with the i
attribute and that does seem rather malicious.
But then.... after kdm started I notice that there is a new user listed on
the login screen. The name of the new user is WiNAta - very bizarre!
Phil
More information about the PLUG
mailing list