Site definitely hacked. Can't delete files to restore backup.
Please have a look at me previous thread to get more details on my problem: http://www.linuxquestions.org/questi...mitted-800340/
I've discovered that after restoring my site's backup this has happened to me again. If someone could just help me to delete the hacked /home/crocbits directory so that I can restore the backup under the same username. When I try to delete /home/crocbits I get this message when logged in as root: Quote:
|
Hi.
Could you post the output from the following: # ls -l crocbits/public_html/makepoll.php # ls -ld crocbits/public_html # lsattr crocbits/public_html/makepoll.php # lsattr -d crocbits/public_html/ Dave |
Quote:
|
Quote:
Here you go: Quote:
Quote:
Quote:
Quote:
Jean |
Hi again.
There's the beastie. You've got 'append only' set on the directory, so you can't remove files. Do: # chattr -a /home/crocbits/public_html/ as root and you should be good to go. Dave |
Can I ask why you think you've been cracked? At this point you've presented no evidence in either thread. However, if you have some evidence that you have been cracked, then merely replacing the problematic directory is not going to help you much. You need to investigate the source of the problem.
|
Quote:
|
As you've found out the hard way deleting the directory and restoring from backup gets you exactly nowhere. You need to find out what happened. For that you best start by verifying your OS installation, your web stack configuration (meaning of any Internet-facing or supporting services), and your system and daemon log files.
|
And run rkhunter and chkrootkit, there could be a rootkit there.
|
Quote:
Quote:
Quote:
|
All times are GMT -5. The time now is 08:04 AM. |