[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] file attributes



On Sun, Mar 18, 2012 at 12:30:38PM -0500, Barry R Cisna wrote:
> Hello All,
> 
> One of our older ftp servers centos 5 got hit with the shv4 rootkit,,,as
> I had left ssh running mistakenly for a couple days.
> Long story short I simply can not delete the two main dirs that are
> created by the rootkit. Those being:
> lib/libsh  and /usr/lib/libsh.so. 
> 
> I know the immutable bit has not been set on these dirs or the files
> within. I did do an chattr -i /dir/files on the dirs just to make sure
> as well. Even changing file perms to root-root the dirs and files within
> can not be deleted.
> 
> I noticed when trying to rm /lib/libsh/filexyz it always comes back with
> "Operation not permitted". I also notice at the end of each file name
> there is the ' character. Does anyone have any idea what the ' character
> suggests?
> 
> I know,I should simply reformat the box with something newer but I am
> just trying to figure out firstly why the files are un-deletable.
> I am going to plop in a deft live cd and see if I can delete the files
> this way. Haven't had a chance to try this yet.
> 
I don't know anything about that particular rootkit.  But perhaps it
has provided a modified 'rm' command which refuses to delete the files
it relies on.  That could be verified by using a live cd.

When trying to delete files with funny characters, it is often easier to
do using a GUI file manager.  Then you just have to click on it, instead
of trying to figure out how to type it properly on the command line.

-Rob


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]