Cant delete or chown file as a root

Discussion in 'Server Security' started by postcd, Jul 30, 2014.

  1. postcd

    postcd Member

    Messages:
    60
    Likes Received:
    5
    Trophy Points:
    8
    Hello,

    some hack script suddenly appear in the /root directory of my VPS. Lets call it "badscript"

    but i cant delete it or chown it being root..

    it says:
    stat badscript
    Please any idea how to block that person who added this script to my linux redhat server?


    "last" command shows only my regular ips, no stranger ip

    and how to remove that script? Thank you
  2. rstanley

    rstanley Member

    Messages:
    65
    Likes Received:
    42
    Trophy Points:
    18
    Is this a computer at your location, or at a hosting company? If the latter, then you should contact tech support at the hosting company.
  3. postcd

    postcd Member

    Messages:
    60
    Likes Received:
    5
    Trophy Points:
    8
    its unmanaged server under my management in pro datacenter..
  4. rstanley

    rstanley Member

    Messages:
    65
    Likes Received:
    42
    Trophy Points:
    18
    I would guess that your system may have been compromised. Take a look at /etc/passwd, /etc/shadow, and /etc/group for any recent changes and/or additions. Look at root to see if it has been altered, and for any new users/groups you don't recognize. Is root still really root???

    This is just a guess as I have never encountered anything like this before. I would change root's password to something more secure than your current password, whatever it is. You might want to change all the passwords, period.

    Check your logs as well for unauthorized activity.

    Last resort, a fresh installation of the server from scratch!

    Good luck!
  5. JasKinasis

    JasKinasis Member

    Messages:
    51
    Likes Received:
    27
    Trophy Points:
    18
    Your server has obviously been compromised, so rstanleys advice is good.

    If you are 100% sure you were logged in as root, then you should have been able to remove the file. Trying to think of reasons a file would not be deleted, I can think of two possibilities offhand:

    1. If there is a program/process running which has that file open, that might prevent you from being able to remove the file. Not 100% on that though! But you might want to see what processes are running on that machine and try to kill any suspicious processes before attempting to delete the file again.

    2. Are there any special characters at the start of the filename? If so, perhaps you need to escape them in order to delete the file.

    Other than that, I have nothing. All the best though!
    rstanley likes this.
  6. postcd

    postcd Member

    Messages:
    60
    Likes Received:
    5
    Trophy Points:
    8
    thx, when i run lsattrm it shows:
    groups
    cat /etc/passwd | grep root
    Also thanks to command:
    find /root -type f -name "*" -mtime -48

    i found some modiffied files, amongs them:
    cat /root/.bash_history
    (i replaced ip by asterisks)

    cat /root/.mysql_history
    please any ideas? I already changed root password, and its not guessable one..
    how that person could access server like this while its in secure datacenter and password is not dictionary one with random chars..
    Last edited: Jul 30, 2014
  7. WharfRat

    WharfRat New Member

    Messages:
    28
    Likes Received:
    10
    Trophy Points:
    3
    As root

    chattr -i /root/badscript

    should remove the immutable attribute. Root should have been able to delete that file.

    Not sure what you're running, but this 'might' be able to spot a rouge module that's not in the kernel tree.

    Code:
    find /lib/modules/$(uname -r)/ -type f|tr -d '_-' > /tmp/list;cat /proc/modules|tr -d '_'|awk '{print $1}'|\
    while read m;do grep -qw "$m.ko" /tmp/list; if [ $? -eq 0 ];then echo "$m OK"; else echo "Check ---> $m";fi;done;rm /tmp/list
    
    Last edited: Jul 30, 2014
  8. postcd

    postcd Member

    Messages:
    60
    Likes Received:
    5
    Trophy Points:
    8
  9. WharfRat

    WharfRat New Member

    Messages:
    28
    Likes Received:
    10
    Trophy Points:
    3
    Apparently, you're not getting the results that I get :confused:

    Can I ask what you're running and what uname -a returns ?
  10. postcd

    postcd Member

    Messages:
    60
    Likes Received:
    5
    Trophy Points:
    8
  11. WharfRat

    WharfRat New Member

    Messages:
    28
    Likes Received:
    10
    Trophy Points:
    3
    The problem here is you don't know how deeply this intrusion has intertwined itself in your system.

    What I would do is boot a live media, mount the partition and run finds with the date range of that rouge file, then carefully move/rename questionable ones somewhere where they can't do any harm.

    Then boot the system and check if there are any repercussions and, if not, keep diligent check on it.

    I don't know what constraints you're under in that datacenter, but a fresh install should definitely be considered as a remedy.

    Good luck ;)
    ryanvade likes this.

Share This Page