[K12OSN] file attributes

Barry R Cisna brcisna at eazylivin.net
Mon Mar 19 22:29:42 UTC 2012


Hello All,

Thanks to all that made suggestions on how to clear out the two main
rootkit directories. 
I did try using a couple live cd's ,both Centos 6 and a deft CD( which I
have found usually mounts LVM disks R/W easily). Unfortunately I got the
same 'permission denied" when trying to delete the files using this
method?

I also tried the method of deleting the file by the inode number.
Strangely enough,,I get no errors,and also I never get asked to confirm
to actually delete the file. The command completes,,but the file(s) are
not deleted. Nothing shows up in system log either FYI.This method did
not work either.

One thing I did find by accident when I try and create a blank file
regardless of method,I always get error" bad file descriptor" when
actually saving the blank file into either one of the two rootkit dirs.
I am not sure what this represents. Almost as though these dirs are
mounted in some fashion although,I see nothing in mtab or fstab?
This is very strange to say the least.

It is almost as though the immutable bit is set on these files,and
dirs,,when in fact this is not the case.
Any forensic experts here?....:)
Guess I'll have to learn to make SURE I shut off ssh after remoting into
the machine in the future.

Take Care,
Barry







More information about the K12OSN mailing list