[EMAIL PROTECTED], On Thursday November 21, 2002 01:01, [EMAIL PROTECTED] wrote: > Hi all, > > I have been hacked! > It is clear that I need to reinstall. > > I would like to make use of this to learn a bit of what has happened to my > server. > > My /bin/login has been made 0 bytes > > I fixed the hard-disk into another machine > login as root in that machine > mount the hacked hard disk and have access to the hard-disk. > > ls -tral gives me a series of files that has been changed. > > a few of them are > /bin/df > /bin/du > /bin/ftp > /bin/login > > I try to delete the files and get the warning > "do you want to delete write protected file (Y/n)" > I say Yes and the answer is > "Sorry I am unable to unlink the file" > and the file is not deleted. > > Any one who can help me to understand that message > > the permission on the file is > -rwxr-xr-x > and I am root on the machine. > > Is it because a hard-link has been made to the file in some directory > which I first have to find and delete ? > > Well, Just to learn a bit more.
man lsattr man chattr The usual tactic is to make the files "immutable". It is at the file system level and that's why root can't do anything about it. Well, at least until the immutable flag is cleared. -- Brian Ashe CTO Dee-Web Software Services, LLC. [EMAIL PROTECTED] -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
