Re: Root can't delete files

From: William York (
Date: 10/10/01

Message-ID: <>
Date: Wed, 10 Oct 2001 12:07:25 -0700 (PDT)
From: William York <>
Subject: Re: Root can't delete files
To: Thanas <>, Focus Linux <>

> after an intrusion in a linux system (2.2) using (I suppose) a
> vulnerability in bind 8.2.2 I've experienced a strange behaviour:

I'd say it's time to upgrade to a later version of BIND.

> the attacker installed a corrupted version of /bin/login

If /bin/login is suspect, what makes you think the rest of the system
is O.K.?

> and when i typed:
> # mv /safe/version/path/login /bin/login
> I just obtained the message 'Operation not permitted' ... How is
> it possible ? I had to use low level tools directly on the ext2
> filesystem to delete that file ...

Um, I'd look first at a corrupted version of 'rm', 'mv' and all other
executables. I would personally recommend that you back up critical
data and baseline the system, making sure that you change all
passwords along the way. Once the system has been compromised once,
especially as 'root', it's very hard and very tedious to repair it.

Good luck,

Do You Yahoo!?
Make a great connection at Yahoo! Personals.