[K12OSN] file attributes

Rob Owens rowens at ptd.net
Sun Mar 18 18:48:11 UTC 2012

On Sun, Mar 18, 2012 at 12:30:38PM -0500, Barry R Cisna wrote:
> Hello All,
> One of our older ftp servers centos 5 got hit with the shv4 rootkit,,,as
> I had left ssh running mistakenly for a couple days.
> Long story short I simply can not delete the two main dirs that are
> created by the rootkit. Those being:
> lib/libsh  and /usr/lib/libsh.so. 
> I know the immutable bit has not been set on these dirs or the files
> within. I did do an chattr -i /dir/files on the dirs just to make sure
> as well. Even changing file perms to root-root the dirs and files within
> can not be deleted.
> I noticed when trying to rm /lib/libsh/filexyz it always comes back with
> "Operation not permitted". I also notice at the end of each file name
> there is the ' character. Does anyone have any idea what the ' character
> suggests?
> I know,I should simply reformat the box with something newer but I am
> just trying to figure out firstly why the files are un-deletable.
> I am going to plop in a deft live cd and see if I can delete the files
> this way. Haven't had a chance to try this yet.
I don't know anything about that particular rootkit.  But perhaps it
has provided a modified 'rm' command which refuses to delete the files
it relies on.  That could be verified by using a live cd.

When trying to delete files with funny characters, it is often easier to
do using a GUI file manager.  Then you just have to click on it, instead
of trying to figure out how to type it properly on the command line.


More information about the K12OSN mailing list