LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   removeing symbolic links - directory (http://www.linuxquestions.org/questions/linux-newbie-8/removeing-symbolic-links-directory-875639/)

barnea10 04-18-2011 09:22 AM

removeing symbolic links - directory
 
hi
i have a hacking attack on my server
where some one tried to implement shell
and scripts,
also in a directory he placed a symbolic link to my root.

i tried to remove it with rm directotyname
but it gave me :
> rm directotyname
rm: cannot remove directory `directotyname': Is a directory

how can i remove the symbolic link and make sure it will not happen again ?


thanks !

TB0ne 04-18-2011 09:38 AM

Quote:

Originally Posted by barnea10 (Post 4328040)
hi
i have a hacking attack on my server where some one tried to implement shell and scripts, also in a directory he placed a symbolic link to my root.

i tried to remove it with rm directotyname but it gave me :
> rm directotyname
rm: cannot remove directory `directotyname': Is a directory

how can i remove the symbolic link and make sure it will not happen again ?
thanks !

You can read the man pages for rm and rmdir. Either type in "rm -fR <directory name>" or "rmdir <directory name>".

As far as making sure it won't happen again, there's no way for us to answer that, based on what you posted. You don't tell us the version/distro of Linux, the network environment, where the attack came from (or even provide proof there WAS an attack), and what you've done/tried so far. There are several threads on this site that deal with hardening a Linux system, as well as many general guides you can follow/find via Google.

barnea10 04-18-2011 10:32 AM

Quote:

Originally Posted by TB0ne (Post 4328059)
You can read the man pages for rm and rmdir. Either type in "rm -fR <directory name>" or "rmdir <directory name>".

As far as making sure it won't happen again, there's no way for us to answer that, based on what you posted. You don't tell us the version/distro of Linux, the network environment, where the attack came from (or even provide proof there WAS an attack), and what you've done/tried so far. There are several threads on this site that deal with hardening a Linux system, as well as many general guides you can follow/find via Google.

when i try to


rmdir directory
i get -
rmdir: directory: Directory not empty

TB0ne 04-18-2011 12:24 PM

Quote:

Originally Posted by barnea10 (Post 4328107)
when i try to


rmdir directory
i get -
rmdir: directory: Directory not empty

Ok...what part of that is unclear? The directory is not empty...so EMPTY IT.

Either go into the directory, and remove the files, or AGAIN, read the man pages for rm and rmdir. As I told you in my first reply, "rm -fR <directory name>" will remove it.

barnea10 04-18-2011 03:18 PM

Quote:

Originally Posted by TB0ne (Post 4328262)
Ok...what part of that is unclear? The directory is not empty...so EMPTY IT.

Either go into the directory, and remove the files, or AGAIN, read the man pages for rm and rmdir. As I told you in my first reply, "rm -fR <directory name>" will remove it.

thanks for your patience...

the directory is acting as symbolic link.
will ti be safe to strongly remove it ?
will it harm the server that pointed from it ?
how can i empty it ?
it doesnt contain anything when i click it i see all my root server directories.

TB0ne 04-18-2011 04:18 PM

Quote:

Originally Posted by barnea10 (Post 4328437)
thanks for your patience...

the directory is acting as symbolic link. will ti be safe to strongly remove it ? will it harm the server that pointed from it ?
how can i empty it ?it doesnt contain anything when i click it i see all my root server directories.

Again, read the man pages for rm and rmdir. And if it's just a symbolic link, you'll just remove the link. However if you read the man pages for the ln command, it *MIGHT* hurt something, depending on how the link was made.

Once more, read the man pages. In my opinion, if you think your server has been compromised, your best course of action is:
  • Unplug it
  • Format the drives
  • Reinstall the OS
  • Reinstall any applications from scratch.
  • Reload ONLY application data from backups
  • Examine EVERYTHING after you're back online.
Doing a piecemeal 'recovery' is 99% of the time, pointless. However you were compromised, the attacker still has that avenue available to them. Unless you identify what happened and how, you may as well not bother.


All times are GMT -5. The time now is 10:27 AM.