[CentOS] CleanLog.h

Thu Nov 29 22:55:11 UTC 2007
Amos Shapira <amos.shapira at gmail.com>

On 30/11/2007, B.J. McClure <keepertoad at verizon.net> wrote:
>
>  Sad to say one of my file servers was exploited and used to run a
> Phishing scam.  Have identified subject virus amongst other things.  It
> appears twice in a virus scan; /sbin/z (which I assume can just be deleted)
> and /sys/bus/serio/drivers/atkbd/description.  The latter file is also
> present in identical uninfected machines.  I have been unable to open the
> file, even with root privileges, although it appears to be a text file.  Any
> suggestions on how to proceed appreciated.  Guess I could delete it and copy
> over the file from an identical machine.
>

Is SE Linux enabled on your system?
If this is an ext2/ext3 filesystem - look at "lsattr" and friends.
fuser(1) on that file and/or monitoring it using something base on
inotify(7) might reveal which process has it open or uses it.

Hope this gives you some useful direction.

--Amos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20071130/8bae5b3c/attachment-0005.html>