[K12OSN] file attributes
Rob Owens
rowens at ptd.net
Sun Mar 18 18:48:11 UTC 2012
On Sun, Mar 18, 2012 at 12:30:38PM -0500, Barry R Cisna wrote:
> Hello All,
>
> One of our older ftp servers centos 5 got hit with the shv4 rootkit,,,as
> I had left ssh running mistakenly for a couple days.
> Long story short I simply can not delete the two main dirs that are
> created by the rootkit. Those being:
> lib/libsh and /usr/lib/libsh.so.
>
> I know the immutable bit has not been set on these dirs or the files
> within. I did do an chattr -i /dir/files on the dirs just to make sure
> as well. Even changing file perms to root-root the dirs and files within
> can not be deleted.
>
> I noticed when trying to rm /lib/libsh/filexyz it always comes back with
> "Operation not permitted". I also notice at the end of each file name
> there is the ' character. Does anyone have any idea what the ' character
> suggests?
>
> I know,I should simply reformat the box with something newer but I am
> just trying to figure out firstly why the files are un-deletable.
> I am going to plop in a deft live cd and see if I can delete the files
> this way. Haven't had a chance to try this yet.
>
I don't know anything about that particular rootkit. But perhaps it
has provided a modified 'rm' command which refuses to delete the files
it relies on. That could be verified by using a live cd.
When trying to delete files with funny characters, it is often easier to
do using a GUI file manager. Then you just have to click on it, instead
of trying to figure out how to type it properly on the command line.
-Rob
More information about the K12OSN
mailing list