Today the server is compromised, unlimited IP address upload to an unknown package, can be used to do iftop traffic monitoring.
At this point .sh files found in the folder tmp file
[root@localhost tmp]# ls
bash clamav cron.d
root can not be deleted when a user deletes
[root @ localhost tmp] # bash RM -rf
RM: Can not delete "bash": Operation not permitted
At this time, this document has been hidden, and set permissions, root user can not be deleted and mv
lsattr file name to view the file attributes
[root@localhost tmp]# lsattr bash
----ia-------e- bash
This file can be seen there and -i -a property, as long as the properties at this time we can delete this fall
[root@localhost tmp]# lsattr bash
----ia-------e- bash
At this point we again see the file properties, find -i -a property has been removed
[the root @ localhost tmp] # the lsattr the bash
---- ------- E- IA the bash
following total operating screenshot
Here is chatty and lsattr Profile
Transfer from: http: //blog.chinaunix.net/uid-298599-id-2443100.html
By command chattr, you can set the file / folder hidden attribute, to secure file / folder. The more important parameters i and a. These two attributes that only the root user can set or clear. And the command lsattr You can view these properties.
i - immutable
A - the append only
1. i test the hidden attribute of the file
by using the parameter i, can ensure that files are not deleted, renamed, hard links, can not be modified as the file "frozen" in the place Here are some testing:
1.1 hidden attribute settings file test.txt
[root@localhost yuechaotian]# pwd
/home/yuechaotian
[root@localhost yuechaotian]# ll
总用量 8
drwx--x--x 3 root root 4096 12月 7 14:52 study
dr-xr-xr-x 2 yuechaotian yuechaotian 4096 12月 9 22:33 test
-rw-rw-rw- 1 yuechaotian yuechaotian 0 12月 9 22:33 test.txt
[root@localhost yuechaotian]# lsattr test.txt
------------- test.txt
[root@localhost yuechaotian]# chattr +i test.txt
[root@localhost yuechaotian]# lsattr test.txt
----i-------- test.txt
1.2 test.txt can not be deleted, renamed, hard links
[root @ localhost yuechaotian] # test.txt RM
RM: whether to remove the write protection is generally empty file 'test.txt' the y-?
RM: Can not delete 'test.txt': Operation not permitted
[root @ localhost yuechaotian] # test.txt test.txt.copy mv
mv: can not move 'test.txt' to 'test.txt.copy': operation not permitted
[root @ localhost yuechaotian] # test.txt test.txt.ln LN
LN: being Creating connected to the 'test.txt' hard links 'test.txt.ln': operation not permitted
1.3 can be copied, the newly generated attribute file does not have the
[root@localhost yuechaotian]# cp test.txt test.txt.copy
[root@localhost yuechaotian]# ll
总用量 16
drwx--x--x 3 root root 4096 12月 7 14:52 study
dr-xr-xr-x 2 yuechaotian yuechaotian 4096 12月 9 22:33 test
-rw-rw-rw- 1 yuechaotian yuechaotian 29 12月 10 20:27 test.txt
-rw-r--r-- 1 root root 29 12月 10 20:30 test.txt.copy
[root@localhost yuechaotian]# lsattr
----i-------- ./test.txt
------------- ./test
------------- ./study
------------- ./test.txt.copy
1.4 may be symbolic links
[root@localhost yuechaotian]# ln -s test.txt test.txt.ln
[root@localhost yuechaotian]# ll
总用量 16
drwx--x--x 3 root root 4096 12月 7 14:52 study
dr-xr-xr-x 2 yuechaotian yuechaotian 4096 12月 9 22:33 test
-rw-rw-rw- 1 yuechaotian yuechaotian 29 12月 10 20:27 test.txt
-rw-r--r-- 1 root root 29 12月 10 20:30 test.txt.copy
lrwxrwxrwx 1 root root 8 12月 10 20:32 test.txt.ln -> test.txt
1.5 When using vi to edit the file test.txt, and try to save, there will be the following tips:
E45: 'readonly' option is set (add ! to override)
2. Hidden attribute a test file of
a difference between attributes and attribute i is: Because the file is to increase the data (but can not be deleted)
2.1 hidden attribute settings file test.txt
[root @ localhost yuechaotian] # RM test.txt.copy
RM: whether to remove the general file 'test.txt.copy' the y-?
[root @ localhost yuechaotian] # RM test.txt.ln
RM: Delete the symbolic link 'test. txt.ln '? Y
[yuechaotian the root @ localhost] # the chattr -i test.txt A +
[the root @ localhost yuechaotian] test.txt the lsattr #
----- ------- A test.txt
2.2 and i parameters are different, the file can be written test.txt:
[root@localhost yuechaotian]# cat test.txt
http://yuechaotian.cublog.cn
[root@localhost yuechaotian]# echo>>test.txt adsf
[root@localhost yuechaotian]# cat test.txt
http://yuechaotian.cublog.cn
adsf
2.3 Similarly, with hidden attributes of a file can not be deleted, renamed, and hard links
[root @ localhost yuechaotian] # test.txt RM
RM: whether to remove the general file 'test.txt' the y-?
RM: Can not delete 'test.txt': Operation not permitted
[root @ localhost yuechaotian] # mv test.txt test .cp
mv: can not move 'test.txt' to 'test.cp': operation not permitted
[root @ localhost yuechaotian] # test.txt test.ln LN
LN: Creating connected to the 'test.txt' hard link 'test.ln': operation not allowed
2.4 When you try to use the vi editor it will appear the following prompt:
"Test.txt" E212: Can not open it for writing
In their daily work, some do not allow to modify configuration files, you can set it to hidden attribute i; for the log file, you can set its property to hide a.
I with a 3. folders
same reason, the file in the folder corresponding to the "data" of the folder when the folder is set to i attribute or a "Data" folder that also has the above testing constraints.
3.1 When a folder has a hidden attribute i, the folder can not be deleted, renamed, not add files to the file folder, the file folder can not be deleted.
[root @ localhost yuechaotian] # ll
total volume 12 is
drwx - X - X. 3 the root 12 is the root dated 4096 Study 14:52. 7
drwxrwxrwx 2 yuechaotian yuechaotian 12 is dated 4096 21:47 Test 10
-rw-rw--RW. 1 yuechaotian yuechaotian 34 20:48 test.txt 12 Yue 10
[root @ localhost yuechaotian] # the chattr + i the Test
[root @ localhost yuechaotian] -r the Test RM #
RM: whether to enter a write-protected directory 'the Test' the y-?
RM: are delete files in general 'the Test / T.2' the y-?
RM: Can not delete 'test / t.2': enough authority
[root @ localhost yuechaotian] t the Test # mv
mv: can not move 'test' to a 't': not allowed operation
[root @ localhost yuechaotian] # mv test.txt the Test
mv: can not move 'test.txt' to 'test / test.txt': enough authority
[root @ localhost yuechaotian] # the Test RM / T.2
RM: are delete files in general 'the Test / T.2' the y-?
RM: Can not delete 'test / t.2': enough authority
3.2 When a folder having the hidden attribute a, and i is different: may be added to a file within the folder
[root @ localhost yuechaotian] # the chattr -i + A the Test
[root @ localhost yuechaotian] # mv test.txt the Test
[root @ localhost yuechaotian] # RM the Test / test.txt
RM: whether to remove the general file 'test / test.txt 'the y-?
RM: Can not delete' test / test.txt ': operation not permitted
the chattr
1. role
modifications ext2 and ext3 file system attributes (attribute), using the superuser privileges.
2. Format
chattr [-RV] [- + = AacDdijsSu] [-v version] file or directory
3. The main parameters
-R: recursive processing of all files and subdirectories.
-V: modify the content detailed display and print output.
-: Failure property.
+: Activating properties.
=: Specifies the property.
A: Atime, tell the system not to modify the last access time to the file.
S: Sync, once the application performs write operations on the file, the system immediately modify the results written to disk.
a: Append Only, the system only allows additional data after the file is not allowed to cover any process or truncate the file. If the directory has this attribute, the system will only allow the establishment in this directory and modify files, not delete any files.
i: Immutable, the system does not allow this document to make any changes. If the directory has this attribute, then any process can only modify the files under a directory, not allowed to create and delete files.
D: Check the compressed file errors.
d: No dump, during file system backup, dump will ignore the file.
C: Compress, the system transparently compress the file. When reading from the file, it returns the data after decompression; and when writing data to the file, the data is first written to disk only after being compressed.
: Secure Delete, delete the system at the time of this file, use the area filled with zeros file.
u: Undelete, when an application request to delete the file, the system will retain its data blocks in order to later be able to undelete the file.
4. Description
significant role chattr command, some of which function is to support the Linux kernel version, if the Linux kernel version below 2.2, then many of the features can not be achieved. Also -D compression error checking function file, you need to support kernel 2.5.19 above. In addition, modify attributes chattr command can improve the security of the system, but it is not suitable for all directories. chattr command can not protect /, / dev, / tmp, / var directory.
----------------
Disclaimer: This article is the original article CSDN bloggers "magicsw", and follow CC 4.0 BY-SA copyright agreement, reproduced, please attach the original source link and this statement. .
Original link: https: //blog.csdn.net/sw_magic/article/details/17380325
