[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] file attributes

Use rpm -Va to see all packages compared to their md5 checksum from rpmdb. Replace every package that has binaries that don't match what rpm says they should be. Use yum replace foo or rpm -F foo.
If you still can't modify that directory try a reboot to clean up the mount tables. Start it in single user mode.

rpm -Va | egrep '^..5' | awk '{print $NF}' | xargs rpm -q --whatprovides | sort -u

will provide the package list you need. If you are in runlevel 3 just run:

yum reinstall $(rpm -Va | egrep '^..5' | awk '{print $NF}' | xargs rpm -q --whatprovides | sort -u)

and that will reinstall the bad packages.

On Mar 18, 2012 1:35 PM, "Barry R Cisna" <brcisna eazylivin net> wrote:
Hello All,

One of our older ftp servers centos 5 got hit with the shv4 rootkit,,,as
I had left ssh running mistakenly for a couple days.
Long story short I simply can not delete the two main dirs that are
created by the rootkit. Those being:
lib/libsh  and /usr/lib/libsh.so.

I know the immutable bit has not been set on these dirs or the files
within. I did do an chattr -i /dir/files on the dirs just to make sure
as well. Even changing file perms to root-root the dirs and files within
can not be deleted.

I noticed when trying to rm /lib/libsh/filexyz it always comes back with
"Operation not permitted". I also notice at the end of each file name
there is the ' character. Does anyone have any idea what the ' character

I know,I should simply reformat the box with something newer but I am
just trying to figure out firstly why the files are un-deletable.
I am going to plop in a deft live cd and see if I can delete the files
this way. Haven't had a chance to try this yet.

Barry Cisna

K12OSN mailing list
K12OSN redhat com
For more info see <http://www.k12os.org>

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]