Maybe the intruder set the +i attribute on the file by using chattr.
According to it's man pages:
<quote>
A file with the `i' attribute cannot be modified: it can
not be deleted or renamed, no link can be created to this
file and no data can be written to the file. Only the
superuser can set or clear this attribute.
</quote>
But since you have rebuilt the whole machine, you cannot confirm it. However in future try chattr -i /path/to/filename before modifying it.
references:
man chattr
man lsattr
Regards
--------
Muhammad Faisal Rauf Danka
Head of GemSEC / Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
Key Id: 0x784B0202
Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B
784B 0202
--- "Administrator" <WebMaster@gcstation.net> wrote:
>Greetings All,
>
>I had a machine get hacked on RH 7.2
>Whoever did it made some changes to files
>and did something to the file that does not
>all me to delete the file, when I am logged
>in as root and the file is owned by root and
>is in the group of root and is set as 755 .
>I can't even edit and save the changes to the
>file.
>
>Can someone tell me how they did it ?
>
>I have removed the machine and rebuilt it but
>I would love to know how it was done.
>
>Thanks all,
>Mike
>
_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------
_____________________________________________________________
Select your own custom email address for FREE! Get you@yourchoice.com w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
------------------------------------------------------------------------
To unsubscribe email security-discuss-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
