#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2001
    Location
    virginia
    Posts
    6
    Rep Power
    0

    Question crontab (seteuid: Operation Not Permitted) after I was hacked


    Thank you in advance for reading...

    I'm new to sys admin, and yesterday we got hacked. Don't know what they wanted or what they took... but they did screw up my crontab permissions and now root can only use crontab.

    When my other users try: % crontab -e, I get this error: seteuid: Operation Not Permitted

    Everything I've found in google etc. says I need a cron.allow file, which I assume is just a line delimited list of user names. Could someone give me an example of this and tell me where I should place the file (I'm running Red Hat 7.0). I tried putting this file in both /etc/cron.d/, and /var/spool/cron/, but the cron.allow file didn't do anything in either of these two directories.

    Any other reasons I would get this (seteuid: Operation Not Permitted) error?

    Also the hacker erased the file: /usr/lib/sa/sa1 which is run by cron.hourly. I have no idea what this file does, could anybody please give me an example.

    I also noticed an entry in my /etc/shadow file which had cron down as a user, is this normal? I disabled it because I thought it might be a bogus entry and my cron jobs still run without it.

    Does anybody know a possible way to get the hacker's footprint... my logs where obviously edited.

    Currently our system is set up so root can log in remotely, can you tell me how to disable this?

    Thank you very much for any and all advice.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    190
    since the logs have been edited, there is few chance in finding footprints.
    probably the "hacker" replaced binaries or libraries, this is why the system does not work as it used to.

    after an attack like this, you should
    - save the whole installation to tape
    - reinstall from scratch
    - after this install all available security patches from your distributor.

    if root-login is allowed by default from other sources than the console or ssh in your distro, switch to another. this is such a basic mistake that probably the whole distro is not worth a penny.

IMN logo majestic logo threadwatch logo seochat tools logo