Re: Hacked: .bash_history linked somewhere
Hello
Mike Egglestone (<mike@heri.sd57.bc.ca>) wrote:
> My server was trojaned recently, not sure how.
> It looks like /bin/ps was modified or replaced with
> a trojan.
> The /root/.bash_history file is set to this:
>
> chsslx1:~# ls -la .bash_history
> -rw-r--r-- 1 root root 0 Nov 7 05:31 .bash_history
>
> and I can't edit it or delete it.
> It looks like its linked somewhere:
>
> chsslx1:~# rm .bash_history
> rm: remove write-protected file `.bash_history'? y
> rm: cannot unlink `.bash_history': Operation not permitted
Maybe the file is immutable. Check with
lsattr .bash_history
You can use chattr to change it:
chattr -i .bash_history
best regards
Andreas Janssen
--
Andreas Janssen
andreas.janssen@bigfoot.com
PGP-Key-ID: 0xDC801674
Registered Linux User #267976
Reply to: