Reinstall is your best option. Your second-best option is to boot from a mini-distribution floppy. It's not enough to just use a boot disk, you need a full mini-dist on that floppy. Then do your commands. rpm has an option for chrooting itself so that you can have your filesystem mounted on a subdirectory and still have RPM do useful stuff. However, I would specify --noscripts so that it doesn't invoke any of your borked commands while reinstalling.
In addition, I would do rpm -Va (verify all) to check for any additional inconsistency. Jon On Fri, 20 Jun 2003, Richard Crawford wrote: > Every time I've talked to someone about recovering a system that had been > hacked, I'd been told to do a fresh install of the OS... > > > > Hello all, > > I am working to recover a server that's been hacked. The chkrootkit tool > > shows that some binary (eg 'ls', 'ps', 'top') has been changed > > (infected) by the hacker. > > > > I am trying to reinstall to from rpm packages using 'rpm -ivh --force' > > but rpm complain cannot unlink those files. So as root I tried to > > remove it, and fail also. I even get the 'rm' binary from another > > trusted machine and use that binary in case the 'rm' in the machine has > > been compromised also. > > > > So, basically my question is, how do I remove those files ? or why can't > > I remove it, eventhough I am root ? I tried to boot as single user and > > it didn't help either. > > > > The permission of the file and directory are as follows (the files is in > > directory /bin and /usr/bin): > > > > -rwxr-xr-x 1 root root 36692 Dec 13 2001 ls > > -rwxr-xr-x 1 root root 32756 Dec 13 2001 ps > > -rwxr-xr-x 1 root root 30640 Dec 13 2001 netstat > > -rwxr-xr-x 1 root root 48856 Sep 25 1983 top > > > > total 233 > > drwxr-xr-x 18 root root 4096 Jun 20 17:12 . > > drwxr-xr-x 18 root root 4096 Jun 20 17:12 .. > > drwxr-xr-x 2 root root 4096 Jun 19 18:14 bin > > drwxr-xr-x 3 root root 1024 Jun 20 17:12 boot > > drwxr-xr-x 16 root root 81920 Jun 20 17:12 dev > > drwxr-xr-x 42 root root 4096 Jun 20 17:14 etc > > -rw-r--r-- 1 root root 69651 Jan 30 14:37 findc > > drwxr-xr-x 43 root root 4096 Apr 29 14:33 home > > drwxr-xr-x 7 root root 4096 Apr 10 2002 lib > > drwxr-xr-x 2 root root 16384 Apr 10 2002 lost+found > > drwxr-xr-x 2 root root 4096 Mar 3 2001 misc > > drwxr-xr-x 4 root root 4096 Apr 10 2002 mnt > > drwxr-xr-x 3 root root 4096 Apr 10 2002 opt > > dr-xr-xr-x 23 root root 0 Jun 20 13:12 proc > > drwxr-x--- 22 root root 4096 Jun 20 17:20 root > > drwxr-xr-x 2 root root 4096 Jun 19 18:14 sbin > > drwxrwxrwt 11 root root 4096 Jun 20 17:10 tmp > > drwxr-xr-x 20 root root 4096 May 23 2002 usr > > drwxr-xr-x 22 root root 4096 Oct 10 2002 var > > > > Thanks in advance for any help. > > > > RDB > > -- > > Reuben D. Budiardja > > > > > > > > -- > > redhat-list mailing list > > unsubscribe mailto:[EMAIL PROTECTED] > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > > -- > redhat-list mailing list > unsubscribe mailto:[EMAIL PROTECTED] > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
