Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: /etc/dumpdates

2005-12-19 19:48:48
Subject: Re: /etc/dumpdates
From: Gene Heskett <gene.heskett AT verizon DOT net>
To: amanda-users AT amanda DOT org
Date: Mon, 19 Dec 2005 19:40:52 -0500 
On Monday 19 December 2005 17:45, Paul Seniuk wrote:
>Thanks for the reply ....
>
>After comparing this server to 9 others in the dump, amanda client
> seems to be installed fine.
>
>I did discover that this server was comprimsed and was running a SPAM
>script from /usr/lib/asterisk/.amandad .....god forbid I ever run
> into these script kiddies on the street.

Just don't leave any witnesses, they can complicate ones life no end.

>Having said that, I am assuming that the compromise may have broke
>something on this server.

I think thats safe to say.
>
>I tried a re-installation of amanda-client with the same error. I did
>notice that after re-installing
>/etc/dumpdates was not created during the install, which tells me
> perms are still a problem here, but im stuck
> because the Group ID is fine:
>#>id amanda
>   uid=33(amanda) gid=6(disk) groups=6(disk)

Thats the same as here.

>Perms on /etc/dumpdates is:
>
>-rw-rw-r--  1 root disk 172 Dec 16 02:37 dumpdates

Thats the same as here, so I'd have reservations about that being the 
problem.

>Would anything be logged about failing to create /etc/dumpdates (get
>that long pole out, I used the RPM version for CentOS) ?

Bleeghc...

And I think here, I'd survey the system for both leftover of the 
asterisk kit, and for the locations of both the config dir and the 
data dir amanda keeps, then get the tarball and install from scratch 
after configuring the tarball to match.  Nuke the rpm installed stuff 
by doing and rpm -e on it.  Or maybe you can look at the .spec file in 
the rpm and steal^H^H^H^H^Hborrow the options from there.

>For 'fun', I tried putting the perms to 777 ..still same error

Somewhere, maybe the suid bits have been lost.  You did do the rpm 
re-install as root I hope?

Jon, do you have anything else to add?

-- 
Cheers, Gene
People having trouble with vz bouncing email to me should use this
address: <gene.heskett AT verizononline DOT net> which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: /etc/dumpdates, Matt Hyclak
Next by Date:  Re: Disappearing Dumps..., Gene Heskett
Previous by Thread:  Re: /etc/dumpdates, Matt Hyclak
Next by Thread:  RE: /etc/dumpdates, Paul Seniuk
Indexes:  [Date] [Thread] [Top] [All Lists]