hacked: can't delete files

[Andreas Hatz <andreas@hatz.id.au>]

Hello,

 

I have posted this user group with a similar problem in the past and have had great help, but this one seems to be a new problem:

 

It looks like the affected machine has been rooted by a t0rn roootkit and then used to install a mail relay running on port 9020. This guy was pretty bold and rather cheeky, even creating a directory in his name in the root home directory. In this directory he seems to also have left a file which seems to contain his hotmail address. This is only by the way. The REAL problem I am having is this:

 

chkrootkit has given the following:

 

Searching for suspicious files and dirs, it may take a while...
/usr/lib/libsh/.bashrc /usr/lib/libsh/.backup /usr/lib/libsh/.sniff /usr/lib/libsh/.bash_history /usr/lib/libsh/.owned /lib/security/.config
/usr/lib/libsh/.backup /usr/lib/libsh/.sniff /usr/lib/libsh/.owned /lib/security/.config

Now the following:

 

ns:~# cd /usr/lib/libsh
ns:/usr/lib/libsh# ls -al
total 44
drwxr-xr-x    6 root     root         4096 Aug 21 08:38 .
drwxr-xr-x   38 root     root        12288 Aug 22 20:38 ..
drwxr-xr-x    2 root     root         4096 Aug 22 19:24 .backup
-rw-------    1 root     root          365 Aug 21 08:37 .bash_history
-rwxr-xr-x    1 root     root         1206 Apr 18  2003 .bashrc
drwxr-xr-x    2 root     root         4096 Aug 22 19:24 .owned
drwxr-xr-x    2 root     root         4096 Aug 22 19:24 .sniff
-rwxr-xr-x    1 root     root         2039 Aug 22 20:28 hide
drwxr-xr-x    2 root     root         4096 Aug 22 19:24 utilz

Also:

 

ns:/usr/lib/libsh# lsattr *
-------------- hide
ns:/usr/lib/libsh# lsattr .b*
-------------- .bash_history
-------------- .bashrc

ns:/usr/lib/libsh# lsattr .
-------------- ./utilz
-------------- ./hide

Now try to delete:

 

ns:/usr/lib/libsh# rm -rf *
rm: cannot unlink `hide': Permission denied
rm: cannot remove directory `utilz': Permission denied
ns:/usr/lib/libsh# ls -al
total 44
drwxr-xr-x    6 root     root         4096 Aug 21 08:38 .
drwxr-xr-x   38 root     root        12288 Aug 22 20:38 ..
drwxr-xr-x    2 root     root         4096 Aug 22 19:24 .backup
-rw-------    1 root     root          365 Aug 21 08:37 .bash_history
-rwxr-xr-x    1 root     root         1206 Apr 18  2003 .bashrc
drwxr-xr-x    2 root     root         4096 Aug 22 19:24 .owned
drwxr-xr-x    2 root     root         4096 Aug 22 19:24 .sniff
-rwxr-xr-x    1 root     root         2039 Aug 22 20:28 hide
drwxr-xr-x    2 root     root         4096 Aug 22 19:24 utilz

So it seems that the immutable attribute is not set on either of these files, but they can not be deleted. Also if I copy this directory to another place it becomes "invisible". ie you don't see it with ls, but you can change to it with cd. Make sense?

 

I have done a fresh re-install of all commands used above. And I will be complately rebuilding the compromised box, but I am still intrigued by this.

 

Anybody like to have a go?

 

Best regards,

 

Andreas