My linux box has been hacked. Some files are undeletable even by root. How can I replace them?

An intruder tried to install a rootkit on my box. I want it back, before reinstallation. How do I replace invalid files installed by the attacker? I cannot chown or rm them. It says "Operation not permitted" on rm, chown, mv or similar. I'm running debian sarge.

Edit: chattr shows some flags (s, i and a) but removing them doesn't help. Edit again: my fault, sorry, chattr did work. I don't know I saw.


Solution 1:

First try to "chattr" that files and/or the directories where that files are located.

Also, in case of a rootkit, it's better a clean-install (a friend got "rootkited" and the nasty code lied in the "ls" binary, and executed at every "ls").

Later: On a second tought, you should try to boot a LiveCD / LiveUSB , mount that partition and edit / scan it.

Solution 2:

Re-installation is the appropriate action in this case. Once a box has been compromised like that it's no longer a trustworthy installation. Even if you "think" you have it cleaned up.

I would make a copy of the disk using dd or one of the many free disk imaging options out there so that you can do some forensics on it and retrieve any data that you need. Then I would re-install and restore your data from a known good backup. Hopefully in the forensics you can find out how the attacker got in and take measures to make sure it doesn't happen again.

Solution 3:

There are some "hidden permissions" that are not normally shown for files. One of these is called immutable and prevents even root from modifying a file.

The chattr command can be used to set/clear the immutable flag, allowing the file to be deleted as normal.