On Fri, 2003-11-07 at 13:45, Mike Egglestone wrote: > Hi, > My server was trojaned recently, not sure how. > It looks like /bin/ps was modified or replaced with > a trojan. > The /root/.bash_history file is set to this: > > chsslx1:~# ls -la .bash_history > -rw-r--r-- 1 root root 0 Nov 7 05:31 .bash_history > > and I can't edit it or delete it. > It looks like its linked somewhere: > > chsslx1:~# rm .bash_history > rm: remove write-protected file `.bash_history'? y > rm: cannot unlink `.bash_history': Operation not permitted > > First off, nothing to much was compromised. Only /etc/samba/* was wiped. > (There may be more stuff but haven't detected yet) > It seems that the only way to recover is to re-install? > Is there a way to find out why the .bash_history is linked in someway? > > How does this happen in the first place? Does someone need to steal the root > password and login and plant the trojan, or could this be remotely exploited > through a security hole in one of my installed packages? > I don't understand how files can get overwritten with out manually doing it. > > Any advice is appreciated
checkout "chattr" especially the "i" option. use some of the forensic tools in Debian.
signature.asc
Description: This is a digitally signed message part
