An intruder tried to install a rootkit on my box. I want it back, before reinstallation.
How do I replace invalid files installed by the attacker?
I cannot chown or rm them.
It says "Operation not permitted" on rm, chown, mv or similar.
I'm running debian sarge.
Edit: chattr shows some flags (s, i and a) but removing them doesn't help.
Edit again: my fault, sorry, chattr did work. I don't know I saw.
Best Answer
First try to "chattr" that files and/or the directories where that files are located.
Also, in case of a rootkit, it's better a clean-install (a friend got "rootkited" and the nasty code lied in the "ls" binary, and executed at every "ls").
Later: On a second tought, you should try to boot a LiveCD / LiveUSB , mount that partition and edit / scan it.