Hi,
My server was trojaned recently, not sure how.
It looks like /bin/ps was modified or replaced with
a trojan. The /root/.bash_history file is set to this:
chsslx1:~# ls -la .bash_history -rw-r--r-- 1 root root 0 Nov 7 05:31 .bash_history
and I can't edit it or delete it. It looks like its linked somewhere:
chsslx1:~# rm .bash_history rm: remove write-protected file `.bash_history'? y rm: cannot unlink `.bash_history': Operation not permitted
First off, nothing to much was compromised. Only /etc/samba/* was wiped. (There may be more stuff but haven't detected yet) It seems that the only way to recover is to re-install? Is there a way to find out why the .bash_history is linked in someway?
it wasn't linked in a way you think. (generally) every file has at least one hard link to it, it's a hard link and that's what you think of as the file. when you remove the file you call unlink and it removes the link, if it was last link the file is removed.
hard links are the ones you see as files, soft links are the ones you see as link (when you do e.g. ls -l).
for more info man ln
erik
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
