problem with fstab -> ROOTKITed

Technomage technomage-hawke at cox.net
Tue Mar 28 11:01:13 MST 2006 

well, normally, a rootkit won't setup there (as far as I know).
still, one must consider that there are new ways of infecting machines being 
created every day.


On Tuesday 28 March 2006 05:50, bmike101 at cox.net wrote:
> I ran a rootkit program and I reinstalled the OS....
> unless....  perhaps the nasty is in my home partition.
>
> > From: Technomage <technomage-hawke at cox.net>
> > Date: 2006/03/27 Mon PM 10:00:34 PST
> > To: Main PLUG discussion list
>
> <plug-discuss at lists.plug.phoenix.az.us>
>
> > Subject: Re: hda2 error -> problem with fstab
> >
> > I have been following this thread for a while.
> > someone occurred to me just now:
> >
> > is there a possibility that the machine, in question,
>
> might be
>
> > "infected" (rootkitted, etc) and that is what keeps
>
> reverting the drive map?
>
> > just a thought.
> >
> > On Monday 27 March 2006 22:30, bmike101 at cox.net wrote:
> > > So are you saying that it should look like this:
> > >
> > >
> > > /dev/hda1 / ext3 noauto,users,exec 0 0
> > > #/dev/hda2 / ext3 defaults,noatime 1 1
> > > /dev/hda4 /home ext3 defaults,noatime 1 1
> > > /dev/sda1 swap swap sw,pri=1 0 0
> > > proc /proc proc defaults 0 0
> > > devpts /dev/pts devpts mode=0622 0 0
> > > none /proc/bus/usb usbdevfs defaults 0 0
> > > # Dynamic entries
> > > /dev/hda3 /data ext3 noauto,users,exec 0 0
> > >
> > > But what about the fact that these partitons were not
> > > previously named this? Would this make a difference?
> > >
> > > What about the 'Dynamic entries'? Does that mean/do
> > > anything?
> > >
> > >  Why is it behaving like this now and not before?
> > >
> > > > From: Jerry Davis <jdawgaz at cox.net>
> > > > Date: 2006/03/27 Mon PM 06:48:50 PST
> > > > To: Main PLUG discussion list
> > >
> > > <plug-discuss at lists.plug.phoenix.az.us>
> > >
> > > > Subject: Re: hda2 error
> > > >
> > > > On Mon, 27 Mar 2006 18:08:32 -0800
> > > >
> > > > <bmike101 at cox.net> wrote:
> > > > > I figured something out! When I was asked for my
>
> fstab
>
> > > I
> > >
> > > > > gave you all the fstab of the live cd. The fstab
>
> of
>
> > > the hd
> > >
> > > > > was:
> > > > > /dev/hda2 / ext3 defaults,noatime 1 1
> > > > > /dev/hda4 /mnt/hda4 ext3 defaults,noatime 1 1
> > > > > /dev/sda1 swap swap sw,pri=1 0 0
> > > > > proc /proc proc defaults 0 0
> > > > > devpts /dev/pts devpts mode=0622 0 0
> > > > > none /proc/bus/usb usbdevfs defaults 0 0
> > > > > # Dynamic entries
> > > > > /dev/hda3 /mnt/hda3 ext3 noauto,users,exec 0 0
> > > > > /dev/hda1 /mnt/hda1 ext3 noauto,users,exec 0 0
> > > > >
> > > > > I changed it to
> > > > > /dev/hda1 /mnt/hda1 ext3 noauto,users,exec 0 0
> > > > > #/dev/hda2 / ext3 defaults,noatime 1 1
> > > > > /dev/hda4 /mnt/hda4 ext3 defaults,noatime 1 1
> > > > > /dev/sda1 swap swap sw,pri=1 0 0
> > > > > proc /proc proc defaults 0 0
> > > > > devpts /dev/pts devpts mode=0622 0 0
> > > > > none /proc/bus/usb usbdevfs defaults 0 0
> > > > > # Dynamic entries
> > > > > /dev/hda3 /mnt/hda3 ext3 noauto,users,exec 0 0
> > > > >
> > > > > When I changed it I had so hoped that this would
>
> fix
>
> > > it
> > >
> > > > > yet it did not!
> > > > > What else do I need to do?
> > > > >
> > > > > for your information here is my setup:
> > > > > hda1 = root
> > > > > hda4 = home
> > > > > hda3 = data
> > > >
> > > > well you are ALL screwed up. the setup you intended
>
> to
>
> > > have and what
> > >
> > > > if /dev/hda1 is root then you should have
> > > > /dev/hda1 / (not /mnt/hda1)
> > > >
> > > > if /dev/hda4 is home then you should have
> > > > /dev/hda4 /home (not /mnt/hda4)
> > > >
> > > > if /dev/hda3 is data then you should have
> > > > /dev/hda3 /data or /mnt/hda3 if that is where you
>
> want
>
> > > it
> > >
> > > > where in the world did you get the above fstab from?
> > > >
> > > > Jerry
> > > >
> > > > > > From: <bmike101 at cox.net>
> > > > > > Date: 2006/03/27 Mon PM 05:19:18 PST
> > > > > > To: Main PLUG discussion list
> > > > >
> > > > > <plug-discuss at lists.plug.phoenix.az.us>
> > > > >
> > > > > > Subject: hda2 error
> > > > > >
> > > > > > How strange; it happened again. I reninstalled
>
> the
>
> > > OS
> > >
> > > > > and,
> > > > >
> > > > > > as before, it loaded once. After it loads once
>
> and I
>
> > > > > > shutdown it seems to think that hda2 is back. It
>
> is
>
> > > as
> > >
> > > > > if
> > > > >
> > > > > > it won't accept hda1,3,&4 without 2. Does this
>
> make
>
> > > any
> > >
> > > > > > sense? I'll reload from the hd and look at fstab
>
> (if
>
> > > I
> > >
> > > > > > can).
> > > >
> > > > --
> > > > Hobbit Name: Pimpernel Loamsdown
> > > > Registered Linux User: 275424
> > > >
> > > > This email's random fortune: If our behavior is
>
> strict,
>
> > > we do not need
> > >
> > > > fun!
> > > > ---------------------------------------------------
> > > > PLUG-discuss mailing list -
> > >
> > > PLUG-discuss at lists.plug.phoenix.az.us
> > >
> > > > To subscribe, unsubscribe, or to change  you mail
> > >
> > > settings:
> > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/
> > >
> > > plug-discuss
> > >
> > >
> > > ---------------------------------------------------
> > > PLUG-discuss mailing list -
>
> PLUG-discuss at lists.plug.phoenix.az.us
>
> > > To subscribe, unsubscribe, or to change  you mail
>
> settings:
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/
>
> plug-discuss
>
> > ---------------------------------------------------
> > PLUG-discuss mailing list -
>
> PLUG-discuss at lists.plug.phoenix.az.us
>
> > To subscribe, unsubscribe, or to change  you mail
>
> settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/
>
> plug-discuss
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

More information about the PLUG-discuss mailing list