Hi, My server was trojaned recently, not sure how. It looks like /bin/ps was modified or replaced with a trojan. The /root/.bash_history file is set to this:
chsslx1:~# ls -la .bash_history -rw-r--r-- 1 root root 0 Nov 7 05:31 .bash_history and I can't edit it or delete it. It looks like its linked somewhere: chsslx1:~# rm .bash_history rm: remove write-protected file `.bash_history'? y rm: cannot unlink `.bash_history': Operation not permitted First off, nothing to much was compromised. Only /etc/samba/* was wiped. (There may be more stuff but haven't detected yet) It seems that the only way to recover is to re-install? Is there a way to find out why the .bash_history is linked in someway? How does this happen in the first place? Does someone need to steal the root password and login and plant the trojan, or could this be remotely exploited through a security hole in one of my installed packages? I don't understand how files can get overwritten with out manually doing it. Any adive is appreciated! Thanks Mike ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]