Re: Hacked: .bash_history linked somewhere

To: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: Re: Hacked: .bash_history linked somewhere
From: Erik Steffl <steffl@bigfoot.com>
Date: Fri, 07 Nov 2003 11:02:43 -0800
Message-id: <[🔎] 3FABEC53.7070604@bigfoot.com>
In-reply-to: <[🔎] 1068230732.3fabe84c46d6e@www.heri.sd57.bc.ca>
References: <[🔎] 1068230732.3fabe84c46d6e@www.heri.sd57.bc.ca>

Mike Egglestone wrote:

Hi,
My server was trojaned recently, not sure how.
It looks like /bin/ps was modified or replaced with

a trojan.The /root/.bash_history file is set to this:


chsslx1:~# ls -la .bash_history
-rw-r--r--    1 root     root            0 Nov  7 05:31 .bash_history

and I can't edit it or delete it.
It looks like its linked somewhere:

chsslx1:~# rm .bash_history
rm: remove write-protected file `.bash_history'? y
rm: cannot unlink `.bash_history': Operation not permitted

First off, nothing to much was compromised. Only /etc/samba/* was wiped.
(There may be more stuff but haven't detected yet)
It seems that the only way to recover is to re-install?
Is there a way to find out why the .bash_history is linked in someway?

it wasn't linked in a way you think. (generally) every file has atleast one hard link to it, it's a hard link and that's what you think ofas the file. when you remove the file you call unlink and it removes thelink, if it was last link the file is removed.

hard links are the ones you see as files, soft links are the ones yousee as link (when you do e.g. ls -l).


  for more info man ln

	erik

Reply to:

References:
- Hacked: .bash_history linked somewhere
  - From: Mike Egglestone <mike@heri.sd57.bc.ca>

Prev by Date: X11 app color problem
Next by Date: Re: Hacked: .bash_history linked somewhere
Previous by thread: Hacked: .bash_history linked somewhere
Next by thread: Re: Hacked: .bash_history linked somewhere
Index(es):
- Date
- Thread