Hello All,

One of our older ftp servers centos 5 got hit with the shv4 rootkit,,,as
I had left ssh running mistakenly for a couple days.
Long story short I simply can not delete the two main dirs that are
created by the rootkit. Those being:
lib/libsh  and /usr/lib/libsh.so.

I know the immutable bit has not been set on these dirs or the files
within. I did do an chattr -i /dir/files on the dirs just to make sure
as well. Even changing file perms to root-root the dirs and files within
can not be deleted.

I noticed when trying to rm /lib/libsh/filexyz it always comes back with
"Operation not permitted". I also notice at the end of each file name
there is the ' character. Does anyone have any idea what the ' character
suggests?

I know,I should simply reformat the box with something newer but I am
just trying to figure out firstly why the files are un-deletable.
I am going to plop in a deft live cd and see if I can delete the files
this way. Haven't had a chance to try this yet.

Thanks,
Barry Cisna


_______________________________________________
K12OSN mailing list
K12OSN@redh...
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>