The immutable bit may have been set. chattr +i <file> or chattr -R +i <dir> (This would recurvisely apply the immutable bit to every file and directory under <dir> The immutable bit doesn't allow files to be edited or deleted even as root. To remove the bit run: chattr -i <file> or chattr -R -i <dir> That may be what the attacker did. At least one possibility. I knew someone who got hacked and that is what the attacker did. On Thu, 7 Nov 2002, Administrator wrote: > Greetings All, > > I had a machine get hacked on RH 7.2 > Whoever did it made some changes to files > and did something to the file that does not > all me to delete the file, when I am logged > in as root and the file is owned by root and > is in the group of root and is set as 755 . > I can't even edit and save the changes to the > file. > > Can someone tell me how they did it ? > > I have removed the machine and rebuilt it but > I would love to know how it was done. > > Thanks all, > Mike > > > > > ------------------------------------------------------------------------ > To unsubscribe email security-discuss-request@linuxsecurity.com > with "unsubscribe" in the subject of the message. > > -- duane 'People demand freedom of speech to make up for the freedom of thought which they avoid.' - Kierkegaard http://www.linuxsecurity.com/feature_stories/feature_story-116.html http://www.linuxsecurity.com/feature_stories/dsniff-monitoring.html -- Updated Version http://www.linuxsecurity.com/feature_stories/feature_story-89.html http://www.linuxsecurity.com/feature_stories/feature_story-88.html ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
