I missed the part about these were dirs and not files.
The dir names may have nonprinting characters so your work to change things
is failing on wrong name.
At this point you need to replace the drive or it's contents. Unless you
can work at the inode level to wipe very specific bits, the level of effort
exceeds realistic time frames. As long as those dirs exist, you're running
a compromised system.
On Mar 21, 2012 8:28 AM, "Barry Cisna" <cisna-barry@wc23...> wrote:
> Hello All,
> I did try the dd if,,, of as suggested in a post to change file
> size,,etc. After doing this routine i still get 'permission denied,,when
> trying to delete each file after the convert.
> SELinux is still disabled as before.
> Nothing is ever shown in any logs ,either system or secure,,,when trying
> to rm a file.
> It seems the key in this is, when I try and create a blank text file and
> save to either of the libsh(rootkit) dirs I get 'bad file descriptor',
> very odd?
> Not that it makes any diff,,but of course in searching the logs I did
> find the ip address that dropped in this rootkit was from China,
> Thanks again,
> K12OSN mailing list
> K12OSN@redh... > https://www.redhat.com/mailman/listinfo/k12osn > For more info see <http://www.k12os.org> >