Re: Unremovable files.
- From: bv@xxxxxxx (Bill Vermillion)
- Date: Sun, 22 Oct 2006 14:45:01 GMT
In article <mailman.0.1161448407.19700.sco-misc@xxxxxxxxxxxxxxxxxxx>,
Bill Campbell <bill@xxxxxxxxxxxxx> wrote:
On Sat, Oct 21, 2006, Walter Vaughan wrote:
Jeff Hyman wrote:
I find it hard to believe that a file cannot be 'listed'
then isolated.
Recently I had the pleasure of looking at a machine that has been
rootkit'ted. Everything I *thought* I knew no longer applied.
Having seen files that would not delete I now fear the "kit".
If you see files on a Linux system you can't remove, look at the
man pages on ``lsattr'' and ``chattr''. Typically the cracker
will set the immutable flags with chattr. Use lsattr to get a
list of the attributes set, then use ``chattr -xxxxx'' where the
x's are the attribute characters shown with lsattr.
``rpm -V packagename'' is your friend too on these systems as is
a good intrusion detection system that lists changed, added, or
missing files on the system.
Bill
And an FYI - if you are using FreeBSD. chflags is the operator
there. And to see attributes it's ls -lo.
Bill
--
Bill Vermillion - bv @ wjv . com
.
- References:
- Unremovable files.
- From: Jean-Pierre Radley
- Re: Unremovable files.
- From: Jeff Hyman
- Re: Unremovable files.
- From: Walter Vaughan
- Re: Unremovable files.
- From: Bill Campbell
- Unremovable files.
- Prev by Date: Dbxtra coredump
- Next by Date: LPD issues
- Previous by thread: Re: Unremovable files.
- Next by thread: Re: Unremovable files.
- Index(es):
