i'm running redhat 7.1 and a'm almost full beginner in that OS.
3 mounts ago my machine was
hacked and the hacker was running "mirkforce" on it. I've tried to
do my best to prevent this in future:
1. i changed passwords of all users(root,me and one my colleague)
2. I stopped all services i dont know what they do
3. I put a simple script in /etc/profile lets send me email when somebody logs into the system
4. I try do download new rpms from ftp.redhat.com to upgrade the system.
The problem is that hacker uploaded again mirkforce in
/usr/include/.t/mf/mirkforce in somaway. My script send me email
that somebody is login from root buf "who" command in the script
had an empty output for that user. I think that hacker uses some back door in apache or wu-ftpd. I succeed to upgrade apache server but when i tried to do same for ftp-server i received such result:
[root@acstre petko]# rpm -U wu-ftpd-2.6.1-16.7x.1.i386.rpm
warning: /etc/ftpaccess saved as /etc/ftpaccess.rpmorig
warning: /etc/ftpconversions saved as /etc/ftpconversions.rpmorig
warning: /etc/ftpgroups saved as /etc/ftpgroups.rpmorig
warning: /etc/ftphosts saved as /etc/ftphosts.rpmorig
warning: /etc/ftpusers saved as /etc/ftpusers.rpmorig
warning: /etc/logrotate.d/ftpd saved as /etc/logrotate.d/ftpd.rpmorig
warning: /etc/pam.d/ftp saved as /etc/pam.d/ftp.rpmorig
warning: /etc/xinetd.d/wu-ftpd created as /etc/xinetd.d/wu-ftpd.rpmnew
error: can't rename /usr/sbin/in.ftpd to /usr/sbin/in.ftpd-RPMDELETE: Operation not permitted
error: unpacking of archive failed on file /usr/sbin/in.ftpd: cpio: unlink failed - Operation not permitted
I tried to remove /usr/sbin/in.ftpd manually but the result was the same:
[root@acstre petko]# ls -l /usr/sbin/in.ftpd
-rwxr-xr-x 1 bin bin 173916 Mar 18 19:03 /usr/sbin/in.ftpd
[root@acstre petko]# rm -f /usr/sbin/in.ftpd
rm: cannot unlink `/usr/sbin/in.ftpd': Operation not permitted
I hope somebody will help me with suggestion what to do
With best regards
It seems i'm afected by "LKM Trojan"
my be i have to reinstall the system
"Yes, they used the extra attributes of the linux e2fs. lsattr list the extra attributes, and chattr changes them. The man pages for these two commands should help you solve the problem."
Thanks to Jan van Rensburg
for the help.