hacked: can't delete files

[Andreas Hatz]

Hello,   I have posted this user group with a similar problem in the past and have had great help, but this one seems to be a new problem:   It looks like the affected machine has been rooted by a t0rn roootkit and then used to install a mail relay running on port 9020. This guy was pretty bold and rather cheeky, even creating a directory in his name in the root home directory. In this directory he seems to also have left a file which seems to contain his hotmail address. This is only by the way. The REAL problem I am having is this:   chkrootkit has given the following:   Searching for suspicious files and dirs, it may take a while... /usr/lib/libsh/.bashrc /usr/lib/libsh/.backup /usr/lib/libsh/.sniff /usr/lib/libsh/.bash_history /usr/lib/libsh/.owned /lib/security/.config /usr/lib/libsh/.backup /usr/lib/libsh/.sniff /usr/lib/libsh/.owned /lib/security/.config Now the following:   ns:~# cd /usr/lib/libsh ns:/usr/lib/libsh# ls -al total 44 drwxr-xr-x    6 root     root         4096 Aug 21 08:38 . drwxr-xr-x   38 root     root        12288 Aug 22 20:38 .. drwxr-xr-x    2 root     root         4096 Aug 22 19:24 .backup -rw-------    1 root     root          365 Aug 21 08:37 .bash_history -rwxr-xr-x    1 root     root         1206 Apr 18  2003 .bashrc drwxr-xr-x    2 root     root         4096 Aug 22 19:24 .owned drwxr-xr-x    2 root     root         4096 Aug 22 19:24 .sniff -rwxr-xr-x    1 root     root         2039 Aug 22 20:28 hide drwxr-xr-x    2 root     root         4096 Aug 22 19:24 utilz Also:   ns:/usr/lib/libsh# lsattr * -------------- hide ns:/usr/lib/libsh# lsattr .b* -------------- .bash_history -------------- .bashrc ns:/usr/lib/libsh# lsattr . -------------- ./utilz -------------- ./hide Now try to delete:   ns:/usr/lib/libsh# rm -rf * rm: cannot unlink `hide': Permission denied rm: cannot remove directory `utilz': Permission denied ns:/usr/lib/libsh# ls -al total 44 drwxr-xr-x    6 root     root         4096 Aug 21 08:38 . drwxr-xr-x   38 root     root        12288 Aug 22 20:38 .. drwxr-xr-x    2 root     root         4096 Aug 22 19:24 .backup -rw-------    1 root     root          365 Aug 21 08:37 .bash_history -rwxr-xr-x    1 root     root         1206 Apr 18  2003 .bashrc drwxr-xr-x    2 root     root         4096 Aug 22 19:24 .owned drwxr-xr-x    2 root     root         4096 Aug 22 19:24 .sniff -rwxr-xr-x    1 root     root         2039 Aug 22 20:28 hide drwxr-xr-x    2 root     root         4096 Aug 22 19:24 utilz So it seems that the immutable attribute is not set on either of these files, but they can not be deleted. Also if I copy this directory to another place it becomes "invisible". ie you don't see it with ls, but you can change to it with cd. Make sense?   I have done a fresh re-install of all commands used above. And I will be complately rebuilding the compromised box, but I am still intrigued by this.   Anybody like to have a go?   Best regards,   Andreas