LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-20-2011, 08:20 AM   #1
m3phisto
Member
 
Registered: Mar 2010
Posts: 47

Rep: Reputation: 15
can't delete file - fishing site


hi there

seems like i got a hacker on my server who placed a "western union fishing" site on it.
i am not able to delete the directory with the root user.

Code:
root@laforge:/var/www/html/mailadmin.somewhat.com> ll
total 12
drwxr-xr-x   3 root     root         4096 Jan 20 13:07 a
-rw-r--r--   1 root     root         1342 Oct  3  2006 favicon.ico
-rw-r--r--   1 root     root          136 Jan 30  2007 index.html
root@laforge:/var/www/html/mailadmin.somewhat.com> rm -Rf a/
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/test.htm': Operation not permitted
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/confirm.php': Operation not permitted
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/signInAction.do-jsessionid=pQO5D4le_uoysnBBKBNIOLW-pid=usMenuLogIn-method=load-countryCode=US-languageCode=en-nextSecurePage=Y.htm': Operation not permitted
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/confirm.html': Operation not permitted
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/scripts/WUValidationStaticScripts.js': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/scripts/SignInCIP.js': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/scripts/ValidationRefresh.js': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/scripts/homePage_scripts.js': Permission denied
rm: cannot remove directory `a//wumt.westernunion.com/WUCOMWEB/scripts/USREGNEW': Permission denied
rm: cannot remove directory `a//wumt.westernunion.com/WUCOMWEB/scripts/USHomePage': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/scripts/captcha.js': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/scripts/ValidationRefreshCIP.js': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/scripts/s_code.js': Permission denied
rm: cannot remove directory `a//wumt.westernunion.com/WUCOMWEB/scripts/mbox': Permission denied
rm: cannot remove directory `a//wumt.westernunion.com/WUCOMWEB/scripts/tealeaf': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/scripts/captcha.css': Permission denied
rm: cannot remove directory `a//wumt.westernunion.com/WUCOMWEB/scripts/foresee_en_US': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/scripts/common.js': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/scripts/tooltip.js': Permission denied
rm: cannot remove directory `a//wumt.westernunion.com/WUCOMWEB/scripts/overhaul': Permission denied
rm: cannot remove directory `a//wumt.westernunion.com/WUCOMWEB/images/overhaul': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/index.php': Operation not permitted
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/needhelp_btn_on.jpg': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_right_secondary_off.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/leftnav_arrow.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/4_steps_no3.jpg': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/header_globe.17.17.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/icon_info.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_yel_nobg_left.3.36.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/MT_steps_no6.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_yel_nobg_right_on.18.36.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/products_hero.567.88.jpg': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/popup_bottom.183.15.png': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/bg_subHeaderRt.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_on_tr.20.27.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_tr_disabled.20.27.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/button_off.17.18.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/4_steps_no1.jpg': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/header_right.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/arrow_turnup.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/needhelp_btn.jpg': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/icon_ok.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/vertline_yellow.2.99.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_yel_nobg_right_off.18.36.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_yel_nobg_left.10.27.gif': Permission denied
rm: cannot remove directory `a//wumt.westernunion.com/WUCOMWEB/background-images/USHomePage': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_mid_secondary.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/header_corner.jpg': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/bg_gradient.100.3.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/reg_steps_no2.557.42.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/bg_subheader.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/MT_steps_no4.557.42.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/4_steps_no4.jpg': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/5_steps_no2.jpg': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_yel_nobg_right_off.20.27.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/leftnav_arrow_blue.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_yel_nobg_mid.7.27.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/5_steps_no3.jpg': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/icon_alert.16.16.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/popup_top.183.18.png': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/popup_middle.183.5.png': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/icon_info_helpBox.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_tl.250.27.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/header_gradient.jpg': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_tl_disabled.250.27.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/5_steps_no4.jpg': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_yel_nobg_mid.3.36.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/bullet_dot.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/MT_steps_no5.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/bg_survey_box_bottom_white.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/bg_subHeaderBg.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/RF_transaction_bg.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_on.126.24.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/WU_header_logo.184.46.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_left_secondary.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/Thumbs.db': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/bg_subHeaderFixed.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/bg_survey_box_bottom_grey.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/bg_subheader_sp.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/MT_steps_no3.557.42.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/MT_steps_no2.557.42.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/5_steps_no5.jpg': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/icon_alert.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/MT_steps_no1.557.42.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/5_steps_no1.jpg': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/arrow_turndown.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/img_bullet.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/button_on.17.18.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/header_left.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/4_steps_no2.jpg': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/reg_step_no1.557.42.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/bg_survey_box_top.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/wait1.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/icon_exclamation.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_yel_nobg_right_on.20.27.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_off.126.24.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/dash.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/greybullet_trans.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/ico_error1.jpg': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/greybullet_trans.7.6.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_tr.20.27.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/reg_steps_no1.557.42.gif': Permission denied
rm: cannot remove `a//wumt.westernunion.com/WUCOMWEB/background-images/btn_disabled.126.24.gif': Permission denied
rm: cannot remove directory `a//wumt.westernunion.com/WUCOMWEB/theme/USREGNEW': Permission denied
rm: cannot remove directory `a//wumt.westernunion.com/WUCOMWEB/theme/USHomePage': Permission denied
rm: cannot remove directory `a//wumt.westernunion.com/WUCOMWEB/theme/overhaul': Permission denied
rm: cannot remove `a//jeg.JPG': Operation not permitted


Code:
lsattr a/
------------- a/wumt.westernunion.com
suS-iadAcj--- a/jeg.JPG

anyone can help?
thx a lot
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 01-20-2011, 08:32 AM   #2
zer0signal
Member
 
Registered: Oct 2010
Location: Cleveland
Distribution: Slackware, Fedora, RHEL (4,5), LFS 6.7, CentOS
Posts: 258

Rep: Reputation: 29
root@laforge:/var/www/html/mailadmin.somewhat.com> rm -Rf a/

try that in lower case

-rf
 
Old 01-20-2011, 08:48 AM   #3
m3phisto
Member
 
Registered: Mar 2010
Posts: 47

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by zer0signal View Post
root@laforge:/var/www/html/mailadmin.somewhat.com> rm -Rf a/

try that in lower case

-rf

i get the same error with lower case
 
Old 01-20-2011, 08:54 AM   #4
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387
Hi,

It looks like the files have been given extended file attributes, which makes them immutable to removal and change.

As root do the following to remove all the extended attributes: chattr -R -isuSadAcj a/

If all went well you are now able to remove the files and directories using rm -rf (or rm -Rf, they are the same).

Hope this helps.

PS: This only solves the removal off these files and dirs, you do need to have a good look to find out if and how your box was compromised.
 
2 members found this post helpful.
Old 01-20-2011, 08:58 AM   #5
Sayan Acharjee
Member
 
Registered: Feb 2010
Location: Chennai, India
Distribution: Manjaro
Posts: 616

Rep: Reputation: 64
[Content removed]

druuna gave you a good solution there.

Last edited by Sayan Acharjee; 01-20-2011 at 08:59 AM.
 
Old 01-20-2011, 09:02 AM   #6
m3phisto
Member
 
Registered: Mar 2010
Posts: 47

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by druuna View Post
Hi,

It looks like the files have been given extended file attributes, which makes them immutable to removal and change.

As root do the following to remove all the extended attributes: chattr -R -isuSadAcj a/

If all went well you are now able to remove the files and directories using rm -rf (or rm -Rf, they are the same).

Hope this helps.

PS: This only solves the removal off these files and dirs, you do need to have a good look to find out if and how your box was compromised.


thx. but it doesn't seem to work
i tried it on the directory and on one of the files


Code:
root@laforge:/var/www/html/mailadmin.somewhat.com/a> chattr -R -isuSadAcj jeg.JPG
root@laforge:/var/www/html/mailadmin.somewhat.com/a> lsattr
------------- ./wumt.westernunion.com
suS-iadAcj--- ./jeg.JPG

Last edited by m3phisto; 01-20-2011 at 09:08 AM.
 
Old 01-20-2011, 09:11 AM   #7
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387
Hi,

It could be that the a directory (or even mailadmin.somewhat.com and/or html etc) also have extended attributes.

Find the first directory without extended attributes and start there. I.e. if mailadmin.somewhat.com is the first directory with extended attributes, cd to /var/www/html and execute the chattr -R -isuSadAcj mailadmin.somewhat.com from there.

Hope this helps.
 
Old 01-20-2011, 09:16 AM   #8
m3phisto
Member
 
Registered: Mar 2010
Posts: 47

Original Poster
Rep: Reputation: 15
how can i see if a directory got extended attributes. lsattr only shows me the attributes of files not directoryies...

Code:
root@laforge:/var/www/html/mailadmin.somewhat.com> lsattr
------------- ./index.html
------------- ./a
------------- ./favicon.ico
 
Old 01-20-2011, 09:26 AM   #9
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387
Hi,

lsattr does show files and directories, as shown in your own output (a is a directory, the other 2 are regular files)

Post the output of the following command: find /var/www/html -type d -exec lsattr {} \;

This looks for directories, starting at /var/www/html and lists them using the lsattr command.

BTW: It is strange that the before mentioned command did not work, you might want to try again using this:
Code:
cd /var/www/html
chattr -R -isuSadAcj mailadmin.somewhat.com
Hope this helps.
 
Old 01-20-2011, 09:56 AM   #10
m3phisto
Member
 
Registered: Mar 2010
Posts: 47

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by druuna View Post
Post the output of the following command: find /var/www/html -type d -exec lsattr {} \;
here it is:

Code:
root@laforge:/var/www/html/mailadmin.somewhat.com> find /var/www/html -type d -exec lsattr {} \;
------------- /var/www/html/mailadmin.somewhat.com
------------- /var/www/html/images
------------- /var/www/html/mailadmin.somewhat.com/index.html
------------- /var/www/html/mailadmin.somewhat.com/a
------------- /var/www/html/mailadmin.somewhat.com/favicon.ico
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com
suS-iadAcj--- /var/www/html/mailadmin.somewhat.com/a/jeg.JPG
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB
suS-iadAcj--- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/test.htm
suS-iadAcj--- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/confirm.php
suS-iadAcj--- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/signInAction.do-jsessionid=pQO5D4le_uoysnBBKBNIOLW-pid=usMenuLogIn-method=load-countryCode=US-languageCode=en-nextSecurePage=Y.htm
suS-iadAcj--- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/confirm.html
suSDiadAcj--- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/scripts
suSDiadAcj--- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/images
suS-iadAcj--- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/index.php
suSDiadAcj--- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images
suSDiadAcj--- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/theme
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/scripts/WUValidationStaticScripts.js
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/scripts/SignInCIP.js
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/scripts/ValidationRefresh.js
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/scripts/homePage_scripts.js
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/scripts/USREGNEW
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/scripts/USHomePage
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/scripts/captcha.js
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/scripts/ValidationRefreshCIP.js
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/scripts/s_code.js
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/scripts/mbox
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/scripts/tealeaf
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/scripts/captcha.css
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/scripts/foresee_en_US
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/scripts/common.js
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/scripts/tooltip.js
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/scripts/overhaul
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/images/overhaul
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/needhelp_btn_on.jpg
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_right_secondary_off.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/leftnav_arrow.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/4_steps_no3.jpg
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/header_globe.17.17.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/icon_info.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_yel_nobg_left.3.36.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/MT_steps_no6.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_yel_nobg_right_on.18.36.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/products_hero.567.88.jpg
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/popup_bottom.183.15.png
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/bg_subHeaderRt.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_on_tr.20.27.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_tr_disabled.20.27.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/button_off.17.18.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/4_steps_no1.jpg
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/header_right.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/arrow_turnup.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/needhelp_btn.jpg
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/icon_ok.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/vertline_yellow.2.99.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_yel_nobg_right_off.18.36.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_yel_nobg_left.10.27.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/USHomePage
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_mid_secondary.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/header_corner.jpg
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/bg_gradient.100.3.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/reg_steps_no2.557.42.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/bg_subheader.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/MT_steps_no4.557.42.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/4_steps_no4.jpg
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/5_steps_no2.jpg
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_yel_nobg_right_off.20.27.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/leftnav_arrow_blue.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_yel_nobg_mid.7.27.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/5_steps_no3.jpg
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/icon_alert.16.16.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/popup_top.183.18.png
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/popup_middle.183.5.png
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/icon_info_helpBox.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_tl.250.27.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/header_gradient.jpg
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_tl_disabled.250.27.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/5_steps_no4.jpg
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_yel_nobg_mid.3.36.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/bullet_dot.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/MT_steps_no5.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/bg_survey_box_bottom_white.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/bg_subHeaderBg.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/RF_transaction_bg.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_on.126.24.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/WU_header_logo.184.46.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_left_secondary.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/Thumbs.db
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/bg_subHeaderFixed.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/bg_survey_box_bottom_grey.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/bg_subheader_sp.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/MT_steps_no3.557.42.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/MT_steps_no2.557.42.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/5_steps_no5.jpg
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/icon_alert.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/MT_steps_no1.557.42.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/5_steps_no1.jpg
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/arrow_turndown.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/img_bullet.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/button_on.17.18.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/header_left.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/4_steps_no2.jpg
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/reg_step_no1.557.42.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/bg_survey_box_top.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/wait1.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/icon_exclamation.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_yel_nobg_right_on.20.27.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_off.126.24.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/dash.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/greybullet_trans.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/ico_error1.jpg
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/greybullet_trans.7.6.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_tr.20.27.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/reg_steps_no1.557.42.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/background-images/btn_disabled.126.24.gif
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/theme/USREGNEW
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/theme/USHomePage
------------- /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com/WUCOMWEB/theme/overhaul
------------- /var/www/html/images/qmailadmin
------------- /var/www/html/images/vqadmin
------------- /var/www/html/images/qmailadmin/uppermiddle2.png
------------- /var/www/html/images/qmailadmin/upperright.png
------------- /var/www/html/images/qmailadmin/lowerleft.png
------------- /var/www/html/images/qmailadmin/middleleft1.png
------------- /var/www/html/images/qmailadmin/uppermiddle1.png
------------- /var/www/html/images/qmailadmin/main2.png
------------- /var/www/html/images/qmailadmin/disabled.png
------------- /var/www/html/images/qmailadmin/radio-on.png
------------- /var/www/html/images/qmailadmin/lowerright.png
------------- /var/www/html/images/qmailadmin/main1.png
------------- /var/www/html/images/qmailadmin/modify.png
------------- /var/www/html/images/qmailadmin/delete.png
------------- /var/www/html/images/qmailadmin/middlelogin.png
------------- /var/www/html/images/qmailadmin/pixel.png
------------- /var/www/html/images/qmailadmin/middleright1.png
------------- /var/www/html/images/qmailadmin/trash.png
------------- /var/www/html/images/qmailadmin/lowermiddle.png
------------- /var/www/html/images/qmailadmin/main.png
------------- /var/www/html/images/qmailadmin/upperleft.png
------------- /var/www/html/images/qmailadmin/radio-off.png
------------- /var/www/html/images/qmailadmin/middleleft2.png
------------- /var/www/html/images/vqadmin/vqadmin.css

thx again for your help
 
Old 01-20-2011, 10:16 AM   #11
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387
Hi,

The following commands should fix the problem (as root user):
Code:
cd /var/www/html/mailadmin.somewhat.com/a
chattr -suSiadAcj jeg.JPG

cd /var/www/html/mailadmin.somewhat.com/a/wumt.westernunion.com
chattr -R -suSiadAcj WUCOMWEB
Tested the above and it does work when I recreate the environment shown.

Hope this helps.
 
Old 01-20-2011, 10:21 AM   #12
m3phisto
Member
 
Registered: Mar 2010
Posts: 47

Original Poster
Rep: Reputation: 15
something is very strange here:

Code:
cd /var/www/html/mailadmin.somewhat.com/a
root@laforge:/var/www/html/mailadmin.somewhat.com/a> chattr -suSiadAcj jeg.JPG
root@laforge:/var/www/html/mailadmin.somewhat.com/a> lsattr
------------- ./wumt.westernunion.com
suS-iadAcj--- ./jeg.JPG
or am i missing something?
 
Old 01-20-2011, 10:44 AM   #13
jdkaye
LQ Guru
 
Registered: Dec 2008
Location: Westgate-on-Sea, Kent, UK
Distribution: Debian Testing Amd64
Posts: 5,464

Rep: Reputation: Disabled
Quote:
Originally Posted by m3phisto View Post
something is very strange here:

Code:
cd /var/www/html/mailadmin.somewhat.com/a
root@laforge:/var/www/html/mailadmin.somewhat.com/a> chattr -suSiadAcj jeg.JPG
root@laforge:/var/www/html/mailadmin.somewhat.com/a> lsattr
------------- ./wumt.westernunion.com
suS-iadAcj--- ./jeg.JPG
or am i missing something?
You left out the -R switch in the chattr command.
jdk
 
Old 01-20-2011, 10:52 AM   #14
m3phisto
Member
 
Registered: Mar 2010
Posts: 47

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by jdkaye View Post
You left out the -R switch in the chattr command.
jdk
jeg.JPG is a file so i thought i don't need the -R
and druuna also left it out for this file
 
Old 01-20-2011, 11:07 AM   #15
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387
Hi,
Quote:
Originally Posted by jdkaye View Post
You left out the -R switch in the chattr command.
The -R is for recursive, not needed on a regular file.

@m3phisto: You started out by saying that your box could have been compromised. Maybe the one that did this not only changed the attributes of certain files, but also did other stuff to your box. The chattr command itself could have been compromised and who knows what else was done.

Although it is probably best to reinstall your box and start fresh, you could try running from a live cd and use those executables to change the extended permissions. But without knowing what else was done to your box I would not feel comfortable using it again.

If you are interested in possibly finding out if chattr was compromised try the following:
Code:
file $(which chattr)
It should be an ELF executable, dynamically linked.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Site definitely hacked. Can't delete files to restore backup. painterj Linux - Security 9 04-10-2010 08:38 AM
Posted on wrong site, could someone delete this please? magicdanw Linux - Server 5 08-04-2009 12:08 PM
[SOLVED] How to get notification when a user delete files from ftp site harikrishnan81 Solaris / OpenSolaris 2 02-28-2009 04:59 AM
LXer: Fishing for POI LXer Syndicated Linux News 0 01-29-2006 06:01 AM
Fishing for help - GDM... PhilD Linux - Newbie 4 06-11-2003 02:52 PM


All times are GMT -5. The time now is 08:35 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration