Linux is under attack and the attacker file cannot be operated
A, problem,
Suddenly received a similar message for several days, initially thought it was a security warning, did not pay much attention to it, then I clicked to check, found it wasMining program!Later found in the console, this server resource occupancy is very high, because this is a blank server, it is impossible to have such a large occupation!
After checking the details of the problem, we found that the attacker implanted a ZZH and ZZHS file in the etc directory!Unable to delete using rm -rf ZZH, and prompt do not allow operation prompt! (Operation not permitted)
Second, the solution
1. Check file permissionsLl | grep file name
2. If the file does not have the execution permission, add the permissionChmod 7 File nameIf the following failure occurs, the operation is not allowed
In this case, run the rm -r ZZHS command to delete it successfully. Delete file ZZH, delete file ZZH, delete file ZZH, delete file ZZH.
3. Check whether the file is forbiddenLsattr filename, as shown below
4. Briefly explain the ia parameters
A: Append Only. The system Only allows data to be appended to the file. No process is allowed to overwrite or truncate the file. If the directory has this property, the system will only allow the creation and modification of files in the directory, not delete any files. I: Immutable. The system does not allow any modification of this file. If the directory has this property, then any process can only modify files under the directory, not create or delete files.Copy the code
5. Delete the IA parametersChattr ia File name“Is successfully deleted, as shown in the following
Finally deleted successfully!
Third, summary
1. The lsattr command * *
The lsattr command is used to display file properties. You can run the chattr command to change the properties of a file or directory
grammar
Lsattr [-adlrvv] [File or directory...]Copy the code
parameter
- -a Displays all files and directories, including additional built-in, existing directories that begin with a “.”
- -d Displays the name of the current directory, not its contents
- -l Displays the permissions of all files or directories in the current directory
- -r Indicates that all files and subdirectories in a specified directory are processed at the same time
Display permissions for all files in the current directory (if folders are displayed as files)
- -v Displays the file or directory version
- -v Displays the version information
2. The chattr command
The chattr command is used to change file attributes. This command can change the attributes of a file or directory stored on an ext2 file system in one of the following eight modes:
- A: Make a file or directory for additional use only.
- B: The last access time of a file or directory is not updated.
- C: Compress files or directories and save them.
- D: Files or directories are excluded from the dump operation.
- I: Do not change files or directories at will.
- S: Deletes files or directories in confidentiality.
- S: Update files or directories immediately.
- U: Prevent accidental deletion.
Note: If the file attribute is -a, you need to run the echo command to append file content. Vim cannot be used because vim generates new files. Echo appends files to source files
grammar
Chattr [-rv][-v< version number >][+/-/=< Properties >][File or directory...Copy the code
parameter
- -r Indicates that all files and subdirectories in a specified directory are processed at the same time
- -v< version number > Sets the version of a file or directory
- -v Displays the command execution process
- +< properties > Enables the property of a file or directory
- -< properties > Disables the property of a file or directory
- =< property > Specifies the property of a file or directory
3. Difference between chattr and chmod
- Chmod: This is used to set user permissions for files! A total of 10!
- Chattr: This is a file property!