Re: Can't get rid of this file--Why???
hi ya
whenever a file cannot be erased by root is suspect of hacker problem
as easily as bad hardware
try:
root# chattr -i /usr/lib/gnews
root# mv /usr/lib/gnews /tmp -- just to see it move
root# rm -rf /tmp/gnews
other wise, go to single user and run e2fsck as suggested or equivalent
fs checks for your fs type
and while you're at it.. save a copy of your files and and its permission,
sizes and dates ...
- check against a virgin system... for any additional hacker files
- check your suspect hacked boxes against a known good version
c ya
alvin
On Mon, 16 Sep 2002, Eric G. Miller wrote:
> On Mon, Sep 16, 2002 at 02:02:01AM -0500, John Foster wrote:
> > I have a file /usr/lib/gnews after purging gnews from my system. The
> > strange thing is that I can't even remove it as root. It has a string of
> > numbers for the owner and group and properties of pr--r--r-- 0444 Does
> > anyone know what this is and how to get rid of it. It is stopping me
> > from installing or removing anything connected to gnews. Also it is
> > 512Mbs in size. I tried to view it and I get permission denied...even as
> > root. Thanks!
>
> Well, that's peculiar. Try chmod it root.root. Smells like corruption,
> as a FIFO normally has zero length and packaged installed files
> typically are owned root.root unless there's some compelling reason for
> them to need other permissions. All in all, an fsck might be in order.
>
Reply to: