Re: Cannot delete file

[Brian Ashe <rhlist dee-web com>]

redhat sati bps metta lk,

On Thursday November 21, 2002 01:01, redhat sati bps metta lk wrote:
> Hi all,
>
> I have been hacked!
> It is clear that I need to reinstall.
>
> I would like to make use of this to learn a bit of what has happened to my
> server.
>
> My /bin/login has been made 0 bytes
>
> I fixed the hard-disk into another machine
> login as root in that machine
> mount the hacked hard disk and have access to the hard-disk.
>
> ls -tral gives me a series of files that has been changed.
>
> a few of them are
> /bin/df
> /bin/du
> /bin/ftp
> /bin/login
>
> I try to delete the files and get the warning
> "do you want to delete write protected file (Y/n)"
> I say Yes and the answer is
> "Sorry I am unable to unlink the file"
> and the file is not deleted.
>
> Any one who can help me to understand that message
>
> the permission on the file is
> -rwxr-xr-x
> and I am root on the machine.
>
> Is it because a hard-link has been made to the file in some directory
> which I first have to find and delete ?
>
> Well, Just to learn a bit more.

man lsattr
man chattr

The usual tactic is to make the files "immutable". It is at the file system 
level and that's why root can't do anything about it. Well, at least until 
the immutable flag is cleared.

-- 
Brian Ashe                                                     CTO
Dee-Web Software Services, LLC.                  rhlist dee-web com