[K12OSN] file attributes

Steve skerr at rx30.com
Mon Mar 19 12:24:28 UTC 2012

might try to remove by inode

ls -il {file-name}     to find inode of file
find . -inum [inode-number] -exec rm -i {} \;      to remove

On 03/18/2012 01:30 PM, Barry R Cisna wrote:
> Hello All,
> One of our older ftp servers centos 5 got hit with the shv4 rootkit,,,as
> I had left ssh running mistakenly for a couple days.
> Long story short I simply can not delete the two main dirs that are
> created by the rootkit. Those being:
> lib/libsh  and /usr/lib/libsh.so. 
> I know the immutable bit has not been set on these dirs or the files
> within. I did do an chattr -i /dir/files on the dirs just to make sure
> as well. Even changing file perms to root-root the dirs and files within
> can not be deleted.
> I noticed when trying to rm /lib/libsh/filexyz it always comes back with
> "Operation not permitted". I also notice at the end of each file name
> there is the ' character. Does anyone have any idea what the ' character
> suggests?
> I know,I should simply reformat the box with something newer but I am
> just trying to figure out firstly why the files are un-deletable.
> I am going to plop in a deft live cd and see if I can delete the files
> this way. Haven't had a chance to try this yet.
> Thanks,
> Barry Cisna
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>

More information about the K12OSN mailing list