[Techtalk] undeletable files
hobbit at aloss.ukuu.org.uk
hobbit at aloss.ukuu.org.uk
Tue Mar 26 17:55:34 EST 2002
On Tue, Mar 26, 2002 at 11:16:17AM -0500 or thereabouts, Walt wrote:
> *sigh*
> System hacked.
> DDOS program installed and activating on boot.
> Modified system files dropped my firewall.
> First tip off was SSH stopped working.
:(
> Now, after the server is mostly recovered,
> I have two files that I cannot delete or replace
> as root with rm -f. /usr/sbin/sshd and
> /etc/rc.d/rc.sysinit. It merely tells me that I
> don't have permission and can't unlink the file.
> How do I delete a file that I can't delete??
I'm curious why you're not just nuking the whole thing and
reinstalling. Is there stuff on there you can't afford to
lose?
On the second: I've heard you can make files undelete-able
by using chattr on them. Looking at the man page, would
chattr -i filename then rm work?
In fact, asking around on IRC, as I write this, I learn that
"lsattr" in the /bin directory is a good thing to try if you
suspect you've been cracked: some rootkits leave lots of
chattr'd files there.
Not sure how far this helps, but hope it does.
Telsa
More information about the Techtalk
mailing list