0

There are one file uploaded by some exploit. I am not able to delete that file even from root login. What may be the issue how i can delete that, i already check for immutable and stick bit status. Any suggestion really helpful for me

Thanks

vnix27
  • 886
  • 2
  • 11
  • 19
  • What filesystem is this on? What does `lsattr filename` and `ls -lZ filename` say? What about the directory the file is in (add `-d`)? What error are you getting when you try to remove the file? – DerfK Mar 29 '11 at 00:13
  • Check that the file doesn't have trailing whitespace. But I'm curious, what "exploit" is this, and what file is it? – Keith Mar 29 '11 at 00:23
  • Also, how did you conclude that the file was created maliciously. Update with all of this information. – Scott Pack Mar 29 '11 at 00:49
  • 1
    Side point, but if your system has been exploited you should be doing a complete reinstall and restore your data from backup. Cleaning the system is tricky as it can be very difficult to be sure you've got rid of everything. – Daniel Lawson Mar 29 '11 at 01:08
  • Verify that you have a backup, format, and reinstall. -- [Reinstall after a Root Compromise](http://serverfault.com/questions/6190/reinstall-after-a-root-compromise) – Zoredache Mar 29 '11 at 03:00

2 Answers2

2

Reformat the machine and restore from backups.

Don't waste your time trying to remove one specific file. Think of it this way, if they were able to create this one file, how can you ever be certain they didn't make more permanent changes (think rootkit)?

devicenull
  • 5,622
  • 1
  • 26
  • 31
0

What kind of error you are getting while trying to delete the file?

Paste here the name of that file.

I have seen many hack scripts in /tmp with name starting with hyphen(-). If this is your case, you can delete it by 

root@local [~]# rm ./-
rm: remove regular empty file `./-'? y
Suku
  • 2,036
  • 13
  • 15