Linux Hacks

Recently I was working on a customers linux system that had been hacked. Using a root kit I was able to identify some files that were created by the attacker but was unable to delete them.

rkhunter identified SVH4 & SVH5 issues. These kits had created a directory /usr/lib/libsh with a utilz directory and a hide script to remove logging information and prevent detection/forensics. While the system is compromised and will need to be rebuilt (they got in via a nagios hack ) it annoyed me that I could not delete the files found. ls-l showed the files as read writable but removal was prevented with “Permission denied” and Operation not allowed. There was limited information on searches completed and most just stated re-install (which is fine but I wanted an answer). Further research led me to the extended attributes provided under the ext2 & ext3 file systems.

What I found was two commands related to these attributes are lsattr and chattr. Using lsattr I found the files to have no attributes, however the directory they were in had the attributes s i and a. using chattr -s -i -a /usr/lib/libsh successfully removed these attributes and allowed removal of the directories!

Another day in the trenches…


Comments are closed.