Hello all, I am working to recover a server that's been hacked. The chkrootkit tool shows that some binary (eg 'ls', 'ps', 'top') has been changed (infected) by the hacker.
I am trying to reinstall to from rpm packages using 'rpm -ivh --force' but rpm complain cannot unlink those files. So as root I tried to remove it, and fail also. I even get the 'rm' binary from another trusted machine and use that binary in case the 'rm' in the machine has been compromised also. So, basically my question is, how do I remove those files ? or why can't I remove it, eventhough I am root ? I tried to boot as single user and it didn't help either. The permission of the file and directory are as follows (the files is in directory /bin and /usr/bin): -rwxr-xr-x 1 root root 36692 Dec 13 2001 ls -rwxr-xr-x 1 root root 32756 Dec 13 2001 ps -rwxr-xr-x 1 root root 30640 Dec 13 2001 netstat -rwxr-xr-x 1 root root 48856 Sep 25 1983 top total 233 drwxr-xr-x 18 root root 4096 Jun 20 17:12 . drwxr-xr-x 18 root root 4096 Jun 20 17:12 .. drwxr-xr-x 2 root root 4096 Jun 19 18:14 bin drwxr-xr-x 3 root root 1024 Jun 20 17:12 boot drwxr-xr-x 16 root root 81920 Jun 20 17:12 dev drwxr-xr-x 42 root root 4096 Jun 20 17:14 etc -rw-r--r-- 1 root root 69651 Jan 30 14:37 findc drwxr-xr-x 43 root root 4096 Apr 29 14:33 home drwxr-xr-x 7 root root 4096 Apr 10 2002 lib drwxr-xr-x 2 root root 16384 Apr 10 2002 lost+found drwxr-xr-x 2 root root 4096 Mar 3 2001 misc drwxr-xr-x 4 root root 4096 Apr 10 2002 mnt drwxr-xr-x 3 root root 4096 Apr 10 2002 opt dr-xr-xr-x 23 root root 0 Jun 20 13:12 proc drwxr-x--- 22 root root 4096 Jun 20 17:20 root drwxr-xr-x 2 root root 4096 Jun 19 18:14 sbin drwxrwxrwt 11 root root 4096 Jun 20 17:10 tmp drwxr-xr-x 20 root root 4096 May 23 2002 usr drwxr-xr-x 22 root root 4096 Oct 10 2002 var Thanks in advance for any help. RDB -- Reuben D. Budiardja -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
