My hone server has been hacked by put some php shell files in the /var/www/html .But ,I can't remove those files even if I am the root.
How to remove those files !?
I have tried to use chattr and rm -f .But it still show "Permission denied".
How to fix it !?

Hi,

And welcome to LQ!

The question really belongs in our security forum.

As for the deletion: is the partition that /var/www resides on mounted read-only,
or do you not have write permissions on the directory?


Cheers,
Tink

Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.

Hello and welcome to LQ. Sad to see it had to be on such an occasion.

My home server has been hacked
Then act accordingly. A compromised box needs to be reinitialised. Don't try to "fix" or "restore" unless you have the expertise to determine how serious the breach of security is.
1. Please read the first two docs first:
- Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html
- Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html
- LQ FAQ: Security references: http://www.linuxquestions.org/questi...threadid=45261

2a. After that:
- shut down the box and only reboot it (for making backups) using a Live CD
- Backup /etc, /home for reference purposes only (not restore). Do not backup binaries. Backup temp dirs and /var if you want to peruse the logs and auth info.
- Repartition, reformat, re-install from scratch.
- Harden.

2b. If you OTOH want us to help you determine how serious the breach of security is, post the following information. Please answer as fast as possible, do not skip questions, post exact results and *then* shut down the box (only to be booted again using a Live CD):
- purpose of the box?
- date of incident?
- distro+release+kernel?
- do you make regular backups?
- do you run a file integrity checker like Aide, Samhain or tripwire and if so what does a check say? If not, what does your distro's package manager say if you verify packages?
- do you run Chkrootkit or Rootkit Hunter and if so what does a check say?
- do you run an IDS?
- What anomalies can you see in system, daemon and firewall logs?
- What accessable software was installed and was it up to date?
- What services where running at the time of compromise?
- Did you find any setuid root files in temp dirs?
- Can you see any activity from user shell history files?
- What does "lsof -n" say?
- And "ps axfwwwe"

For any logs larger than 10 lines please tarball them up and provide a download location.

thanks a lot .
I have used the resuce CD to mount the system.
I have used the chattr the modify the flag of the files and deleted them .
However I found a strange process "local -t unix" with the command "ps ax".
What's that process ?? blackdoor process??
I have tried to use chkrootkit and rkhunter to check the system again and all passed.
Moreover,I have checked the listening port of my system and all seems are working normal.
Is this all finished ??

I have used the chattr the modify the flag of the files and deleted them .
Flushing "evidence" down the drain. That is soo cool (not).


However I found a strange process "local -t unix" with the command "ps ax".
What's that process ?? blackdoor process??
I asked you to post certain information and in a certain way. Not posting complete information can lead to speculation and giving partial or generic advice. So, thanks for helping us help you.


Moreover,I have checked the listening port of my system and all seems are working normal.
Is this all finished ??
For you it is, yes. Here's you generic advice: go repartition, reformat, reinstall from scratch, then harden the box properly.