Hacked: .bash_history linked somewhere
Hi,
My server was trojaned recently, not sure how.
It looks like /bin/ps was modified or replaced with
a trojan.
The /root/.bash_history file is set to this:
chsslx1:~# ls -la .bash_history
-rw-r--r-- 1 root root 0 Nov 7 05:31 .bash_history
and I can't edit it or delete it.
It looks like its linked somewhere:
chsslx1:~# rm .bash_history
rm: remove write-protected file `.bash_history'? y
rm: cannot unlink `.bash_history': Operation not permitted
First off, nothing to much was compromised. Only /etc/samba/* was wiped.
(There may be more stuff but haven't detected yet)
It seems that the only way to recover is to re-install?
Is there a way to find out why the .bash_history is linked in someway?
How does this happen in the first place? Does someone need to steal the root
password and login and plant the trojan, or could this be remotely exploited
through a security hole in one of my installed packages?
I don't understand how files can get overwritten with out manually doing it.
Any adive is appreciated!
Thanks
Mike
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
Reply to: