Re: Root can't delete some files in /bin

Fri, 20 Jun 2003 14:46:15 -0700 

Every time I've talked to someone about recovering a system that had been
hacked, I'd been told to do a fresh install of the OS...


> Hello all,
> I am working to recover a server that's been hacked. The chkrootkit tool
> shows  that some binary (eg 'ls', 'ps', 'top') has been changed
> (infected) by the  hacker.
>
> I am trying to reinstall to from rpm packages using 'rpm -ivh --force'
> but rpm  complain cannot unlink those files. So as root I tried to
> remove it, and fail  also. I even get the 'rm' binary from another
> trusted machine and use that  binary in case the 'rm' in the machine has
> been compromised also.
>
> So, basically my question is, how do I remove those files ? or why can't
> I  remove it, eventhough I am root ? I tried to boot as single user and
> it  didn't help either.
>
> The permission of the file and directory are as follows (the files is in
>  directory /bin and /usr/bin):
>
> -rwxr-xr-x    1 root     root        36692 Dec 13  2001 ls
> -rwxr-xr-x    1 root     root        32756 Dec 13  2001 ps
> -rwxr-xr-x    1 root     root        30640 Dec 13  2001 netstat
> -rwxr-xr-x    1 root     root        48856 Sep 25  1983 top
>
> total 233
> drwxr-xr-x   18 root     root         4096 Jun 20 17:12 .
> drwxr-xr-x   18 root     root         4096 Jun 20 17:12 ..
> drwxr-xr-x    2 root     root         4096 Jun 19 18:14 bin
> drwxr-xr-x    3 root     root         1024 Jun 20 17:12 boot
> drwxr-xr-x   16 root     root        81920 Jun 20 17:12 dev
> drwxr-xr-x   42 root     root         4096 Jun 20 17:14 etc
> -rw-r--r--    1 root     root        69651 Jan 30 14:37 findc
> drwxr-xr-x   43 root     root         4096 Apr 29 14:33 home
> drwxr-xr-x    7 root     root         4096 Apr 10  2002 lib
> drwxr-xr-x    2 root     root        16384 Apr 10  2002 lost+found
> drwxr-xr-x    2 root     root         4096 Mar  3  2001 misc
> drwxr-xr-x    4 root     root         4096 Apr 10  2002 mnt
> drwxr-xr-x    3 root     root         4096 Apr 10  2002 opt
> dr-xr-xr-x   23 root     root            0 Jun 20 13:12 proc
> drwxr-x---   22 root     root         4096 Jun 20 17:20 root
> drwxr-xr-x    2 root     root         4096 Jun 19 18:14 sbin
> drwxrwxrwt   11 root     root         4096 Jun 20 17:10 tmp
> drwxr-xr-x   20 root     root         4096 May 23  2002 usr
> drwxr-xr-x   22 root     root         4096 Oct 10  2002 var
>
> Thanks in advance for any help.
>
> RDB
> --
> Reuben D. Budiardja
>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:[EMAIL PROTECTED]
> https://www.redhat.com/mailman/listinfo/redhat-list




-- 
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-list

Reply via email to