some hack script suddenly appear in the /root directory of my VPS. Lets call it “badscript”
-rwxr-xr-x 1 root root 1.2M Jul 18 12:34 badscript
but i cant delete it or chown it being root…
rm: cannot remove `badscript': Operation not permitted
chown: changing ownership of `badscript': Operation not permitted
Size: 1189151 Blocks: 2336 IO Block: 4096 regular file
Device: 57h/87d Inode: 17932822 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2014-07-29 16:51:30.000000000 -0400
Modify: 2014-07-18 12:34:49.000000000 -0400
Change: 2014-07-29 16:51:25.000000000 -0400
Please any idea how to block that person who added this script to my linux redhat server?
“last” command shows only my regular ips, no stranger ip
and how to remove that script? Thank you
I’d change the root password, stat.
The hacker must have it in order to write to that folder
I’d also reboot into single-user mode, in case there is some kind of zero-day privilege escalation bug.
Is the server fully updated?
i changed root password and the server has no extra users, only those created during apache, mysql install
i have feeling that the server is compromised somehow from inside, not from outside someone logging it via ssh, the roor password was safe one.
the script was running like:
then check the output from:
if you see an “a” in the badscript extended attributes, like this:-
it’s flagged as “append only” … so run:
chattr -a badscript
to remove the append only extended attribute flag
Now try deleting it.
An “i” flag (in the lsattr output) denotes the file is flagged as “immutable” … so remove that with:
chattr -i badscript
or both at the same time with:
chattr -i -a badscript
Info on extended attributes can be found here:
thx, when i run lsattrm it shows:
cat /etc/passwd | grep root
Also thanks to command:
find /root -type f -name “*” -mtime -48
i found some modiffied files, amongs them:
killall -9 httpd
killall -9 pickup
killall -9 qmgr
killall -9 proftpd
killall -9 xinetd
chmod +x badscript
chattr +i badscript
killall -9 sshpa
(i replaced ip by asterisks)
please any ideas? I already changed root password, and its not guessable one…
See my edit above.
chattr -i badscript
(run as root)
then you should be able to delete it
yes, thx, i already eliminated that script thanks to your command.
Please any other advices regarding things i posted before?
Any ideas about what ?
Here’s an idea … recover from a known clean backup, then firewall off any SSH ports unless accessed over an openvpn connection authenticated by certificate
If you could post a copy of “badscript” we could comment more???
Here is the link to VirusTotal.com analysis of the file: http://pastebin.com/mtMshTwR
Its unreadable file, code looks like some .exe or something