Re: Hacked: .bash_history linked somewhere

To: debian-user@lists.debian.org
Subject: Re: Hacked: .bash_history linked somewhere
From: Andreas Janssen <andreas.janssen@bigfoot.com>
Date: Fri, 07 Nov 2003 20:06:41 +0100
Message-id: <[🔎] bogqdc$uh5$1@sea.gmane.org>
References: <[🔎] 1068230732.3fabe84c46d6e@www.heri.sd57.bc.ca>

Hello

Mike Egglestone (<mike@heri.sd57.bc.ca>) wrote:

> My server was trojaned recently, not sure how.
> It looks like /bin/ps was modified or replaced with
> a trojan.
> The /root/.bash_history file is set to this:
> 
> chsslx1:~# ls -la .bash_history
> -rw-r--r--    1 root     root            0 Nov  7 05:31 .bash_history
> 
> and I can't edit it or delete it.
> It looks like its linked somewhere:
> 
> chsslx1:~# rm .bash_history
> rm: remove write-protected file `.bash_history'? y
> rm: cannot unlink `.bash_history': Operation not permitted

Maybe the file is immutable. Check with

lsattr .bash_history

You can use chattr to change it:

chattr -i .bash_history

best regards
        Andreas Janssen

-- 
Andreas Janssen
andreas.janssen@bigfoot.com
PGP-Key-ID: 0xDC801674
Registered Linux User #267976

Reply to:

Follow-Ups:
- Re: Hacked: .bash_history linked somewhere
  - From: Mike Egglestone <mike@heri.sd57.bc.ca>

References:
- Hacked: .bash_history linked somewhere
  - From: Mike Egglestone <mike@heri.sd57.bc.ca>

Prev by Date: Re: Hacked: .bash_history linked somewhere
Next by Date: Re: "Red Hat recommends Windows for consumers"
Previous by thread: Re: Hacked: .bash_history linked somewhere
Next by thread: Re: Hacked: .bash_history linked somewhere
Index(es):
- Date
- Thread