April 23rd, 2002, 03:24 PM
crontab (seteuid: Operation Not Permitted) after I was hacked
Thank you in advance for reading...
I'm new to sys admin, and yesterday we got hacked. Don't know what they wanted or what they took... but they did screw up my crontab permissions and now root can only use crontab.
When my other users try: % crontab -e, I get this error: seteuid: Operation Not Permitted
Everything I've found in google etc. says I need a cron.allow file, which I assume is just a line delimited list of user names. Could someone give me an example of this and tell me where I should place the file (I'm running Red Hat 7.0). I tried putting this file in both /etc/cron.d/, and /var/spool/cron/, but the cron.allow file didn't do anything in either of these two directories.
Any other reasons I would get this (seteuid: Operation Not Permitted) error?
Also the hacker erased the file: /usr/lib/sa/sa1 which is run by cron.hourly. I have no idea what this file does, could anybody please give me an example.
I also noticed an entry in my /etc/shadow file which had cron down as a user, is this normal? I disabled it because I thought it might be a bogus entry and my cron jobs still run without it.
Does anybody know a possible way to get the hacker's footprint... my logs where obviously edited.
Currently our system is set up so root can log in remotely, can you tell me how to disable this?
Thank you very much for any and all advice.
April 26th, 2002, 07:55 AM
since the logs have been edited, there is few chance in finding footprints.
probably the "hacker" replaced binaries or libraries, this is why the system does not work as it used to.
after an attack like this, you should
- save the whole installation to tape
- reinstall from scratch
- after this install all available security patches from your distributor.
if root-login is allowed by default from other sources than the console or ssh in your distro, switch to another. this is such a basic mistake that probably the whole distro is not worth a penny.