[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: hacked: can't delete files

You probably already got this one solved but if not, you'll need to download on another computer one of the linux rescue disks and boot the machine up with that disk. It will have a clean copy of chown and chmod and rm on it the hacker never damaged. What has happened is the hacker replaced your original debian utilities with cracking versions. Those cracking versions of the utilities protect what they're supposed to so far as the cracker is concerned but that's only until you bring the real originals to bear. You might also use an original debian CD and boot into rescue mode then do the work but be sure you specify /dev/hdc/ as a prefix to everyone of your utility commands. Don't rely on that e-mail address even existing on hotmail.com either. Your best bet right now is to copy any work on that computer you created off to other media and wipe the machine and do a complete reinstall but this time apt-get bastille and apt-get tripwire not to mention clamav as part of the install process. All of those packages need to be deployed and operating before you go out onto the net again. With the net-inst installation, you takes your chances. 



On Fri, 26 Aug 2005, Jason Edson wrote:


On 8/26/05, Andreas Hatz <andreas@hatz.id.au> wrote:


 Hello,
 I have posted this user group with a similar problem in the past and have
had great help, but this one seems to be a new problem:
 It looks like the affected machine has been rooted by a t0rn roootkit and
then used to install a mail relay running on port 9020. This guy was pretty
bold and rather cheeky, even creating a directory in his name in the root
home directory. In this directory he seems to also have left a file which
seems to contain his hotmail address. This is only by the way. The REAL
problem I am having is this:
 chkrootkit has given the following:
 Searching for suspicious files and dirs, it may take a while...
/usr/lib/libsh/.bashrc /usr/lib/libsh/.backup /usr/lib/libsh/.sniff
/usr/lib/libsh/.bash_history /usr/lib/libsh/.owned /lib/security/.config
/usr/lib/libsh/.backup /usr/lib/libsh/.sniff /usr/lib/libsh/.owned
/lib/security/.config
Now the following:
 ns:~# cd /usr/lib/libsh
ns:/usr/lib/libsh# ls -al
total 44
drwxr-xr-x 6 root root 4096 Aug 21 08:38 .
drwxr-xr-x 38 root root 12288 Aug 22 20:38 ..
drwxr-xr-x 2 root root 4096 Aug 22 19:24 .backup
-rw------- 1 root root 365 Aug 21 08:37 .bash_history
-rwxr-xr-x 1 root root 1206 Apr 18 2003 .bashrc
drwxr-xr-x 2 root root 4096 Aug 22 19:24 .owned
drwxr-xr-x 2 root root 4096 Aug 22 19:24 .sniff
-rwxr-xr-x 1 root root 2039 Aug 22 20:28 hide
drwxr-xr-x 2 root root 4096 Aug 22 19:24 utilz
Also:
 ns:/usr/lib/libsh# lsattr *
-------------- hide
ns:/usr/lib/libsh# lsattr .b*
-------------- .bash_history
-------------- .bashrc
ns:/usr/lib/libsh# lsattr .
-------------- ./utilz
-------------- ./hide
Now try to delete:
 ns:/usr/lib/libsh# rm -rf *
rm: cannot unlink `hide': Permission denied
rm: cannot remove directory `utilz': Permission denied
ns:/usr/lib/libsh# ls -al
total 44
drwxr-xr-x 6 root root 4096 Aug 21 08:38 .
drwxr-xr-x 38 root root 12288 Aug 22 20:38 ..
drwxr-xr-x 2 root root 4096 Aug 22 19:24 .backup
-rw------- 1 root root 365 Aug 21 08:37 .bash_history
-rwxr-xr-x 1 root root 1206 Apr 18 2003 .bashrc
drwxr-xr-x 2 root root 4096 Aug 22 19:24 .owned
drwxr-xr-x 2 root root 4096 Aug 22 19:24 .sniff
-rwxr-xr-x 1 root root 2039 Aug 22 20:28 hide
drwxr-xr-x 2 root root 4096 Aug 22 19:24 utilz
So it seems that the immutable attribute is not set on either of these
files, but they can not be deleted. Also if I copy this directory to another
place it becomes "invisible". ie you don't see it with ls, but you can
change to it with cd. Make sense?
 I have done a fresh re-install of all commands used above. And I will be
complately rebuilding the compromised box, but I am still intrigued by this.
 Anybody like to have a go?
 Best regards,
 Andreas



Didnt you post this like a week ago and get answers? Just curious if my mail
reader is acting up.

Jason Edson
Reply to: