Linux Server Compromised - now I can't delete or rename (2) files
Posted on 2011-04-18
I recently had a client have their Linux box compromised due to a globally open SSH port and a weak root password.
After the compromise, a CRON job was left running every minute that started a process that logged the server into an IRC channel in order to become part of a BOTNET or some other such situation. Regardless, I was able to kill all processes related to this by killing the CRON process and all of the processes that were spawned by this.
I have (2) things left to clean up: the CRONTAB file still holds entries in it for starting a specific process named "/bin/f" , and I am UNABLE to modify the CRONTAB file (access is denied) and I am UNABLE to delete / rename the file "/bin/f". The files permissions are as follows:
-rw-r--r-- 1 root root 283 Apr 17 01:59 crontab
-rwxr-xr-x 1 root root 885401 Feb 18 01:19 f
I have tried to CHMOD the files, and I get "changing permissions of "f": Operation not permitted.
I have tried to CHOWN the files, and I get the same thing: Operation not permitted.
Can someone tell me what I have to do to get rid of these files? I have looked at processes running with ps -aux and I don't see anything running "/bin/f" anymore, and there are no crontab processes running, so I don't think that "/etc/crontab" is being held open.
All of the volumes are ext3 file systems, here is the output of mount:
/dev/sda5 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda3 on /var/log type ext3 (rw)
/dev/sda2 on /var/lib/mysql type ext3 (rw)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)