Find the answer to your Linux question:
Results 1 to 6 of 6
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Cant delete or chown file as a root


    some hack script suddenly appear in the /root directory of my VPS. Lets call it "badscript"

    -rwxr-xr-x 1 root root 1.2M Jul 18 12:34 badscript
    but i cant delete it or chown it being root..

    it says:
    rm: cannot remove `badscript': Operation not permitted
    chown: changing ownership of `badscript': Operation not permitted
    stat badscript
    File: `badscript'
    Size: 1189151 Blocks: 2336 IO Block: 4096 regular file
    Device: 57h/87d Inode: 17932822 Links: 1
    Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
    Access: 2014-07-29 16:51:30.000000000 -0400
    Modify: 2014-07-18 12:34:49.000000000 -0400
    Change: 2014-07-29 16:51:25.000000000 -0400
    Please any idea how to block that person who added this script to my linux redhat server?

    "last" command shows only my regular ips, no stranger ip

    and how to remove that script? Thank you

  2. #2
    chattr -i FILENAME
    rm -rf FILENAME

  3. #3
    Penguin of trust elija's Avatar
    Join Date
    Jul 2004
    Either at home or at work or down the pub
    Quote Originally Posted by postcd View Post
    Please any idea how to block that person who added this script to my linux redhat server?
    Depends on how they did it, most frequently it's through a poorly validated upload script in a web page. I would also wonder if the rest of the server is now trustworthy...
    Should you be sitting wondering,
    Which Batman is the best,
    There's only one true answer my friend,
    It's Adam Bloody West!

    The Fifth Continent

  4. $spacer_open
  5. #4

    $ lsattr badscript
    The output could be something like this:
    ----i--------e- badscript
    Remove the immutable "i" attribute typing the following command:
    # chattr -i badscript

  6. #5
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    With the shown permissions, root should be able to remove the file with "rm -f filename". This makes me think, as does elija, that your system is seriously pwnd. You could try rebooting into single user mode, login as root, and try to remove it again. If you cannot, then you will need to rebuild or restore your system to the last known good image.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  7. #6
    Was looking around for the bash bug, but ran across this. If he can edit it, could he just make it an empty script file? Just wondering if he's tried to do that via root...


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts