Hi,
My server was trojaned recently, not sure how.
It looks like /bin/ps was modified or replaced with
a trojan.
The /root/.bash_history file is set to this:
chsslx1:~# ls -la .bash_history
-rw-r--r-- 1 root root 0 Nov 7 05:31 .bash_history
and I can't edit it or delete it.
It looks like its linked somewhere:
chsslx1:~# rm .bash_history
rm: remove write-protected file `.bash_history'? y
rm: cannot unlink `.bash_history': Operation not permitted
First off, nothing to much was compromised. Only /etc/samba/* was wiped.
(There may be more stuff but haven't detected yet)
It seems that the only way to recover is to re-install?
Is there a way to find out why the .bash_history is linked in someway?