Hi

Our Server (RedHat 7.2) was somehow hacked via ftp , and the intruder just replaced sshd with his own, and the ssh and telnet are not available.
The Problem is that I can not delete his sshd to replace it with mine (working one)

It says to me that I do not have the priviligies to do this / The process is stoped and I'm root /

Any help and suggestions

Thanks in advance

Try to netstat and ps your processes for future reference, then drop to runlevel 1, this will kill users, daemon processes and network (the regular ones, not rogue processes). Use lsof to see what files are opened to get a grip on the location, and list your modules. If nothing insane turns up, then you prolly run a LKM. In any case it's now time to kill the box.


Kill the box and DO NOT power on again. Use a bootable cd like KNOPPIX, FIRE or PSK to investigate, or add the HD to another machine and mount readonly. If you need the box up, save the auth files and all logfiles, then make a dd copy for future reference. Make sure to wipe the WHOLE disk: repartition, reformat and reinstall from scratch. Don't copy over binaries or stuff that isn't human readable. Don't use a restore from backup unless you've got external (untampered) means of verifying the backup is sane.

The attacker probably changed the extended attributes on the sshd binary. IIRC you can do lsattr on the file to view it's extended attributes, and chattr to change them. There *should* be helpful man pages with more information on each of the above (or do $ apropos attributes).

Like unSpawn said, at this point you're going to have to reinstall the OS from scratch to make sure you really irradicate the cracker. There are simply too many other ways the system could be tampered with and back-doored, so the only way to be sure is to fdisk and reinstall.