Sad to say one of my file servers was exploited and used to run a Phishing scam. Have identified subject virus amongst other things. It appears twice in a virus scan; /sbin/z (which I assume can just be deleted) and /sys/bus/serio/drivers/atkbd/description. The latter file is also present in identical uninfected machines. I have been unable to open the file, even with root privileges, although it appears to be a text file. Any suggestions on how to proceed appreciated. Guess I could delete it and copy over the file from an identical machine.
Is SE Linux enabled on your system?
If this is an ext2/ext3 filesystem - look at "lsattr" and friends.
fuser(1) on that file and/or monitoring it using something base on inotify(7) might reveal which process has it open or uses it.
Hope this gives you some useful direction.
--Amos
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
