linux - Cannot delete folder or files inside

07
2014-07
  • Alex

    I have a rather strange problem. I have encountered a folder with a file in it, that I can neither see or delete. This is, I believe, a rootkit and I am desperate to get it off my machine. I am logged in as root on the server. The folder is called silver and its inside the var directory. Nothing I do lists the folder. ls -la doesn't show the folder, but I can access the directory via cd silver. Inside the folder there is a file called ~.b - again I cannot see it or access it but I know it exists because my dmesg log is full of segmentation faults caused by this file.

    trivial-rewrite[24096]: segfault at 2 ip 00007f65c5457e65 sp 00007fff596e5360 error 4 in ~.b[7f65c5455000+6000]
cleanup[24097]: segfault at 2 ip 00007fd614f29e65 sp 00007ffffe7ad2c0 error 4 in ~.b[7fd614f27000+6000]

    Trying to change attributes on the file or the folder seems to have no effect whatsoever

    chattr -sia ~.b

    chattr: No such file or directory while trying to stat ~.b

    How do I get rid of this file and the directory?

    • Answers
  • Dan L

    For the attempted fix, it will require a reboot and local access to the server. As you haven't given info about the filesystem or underlying drives/raid/lvm, these are generic instructions.

    Most likely issue is just a bad drive with an unwriteable block but other situations are possible. The first is that you have a file system corruption and that link is unchangeable. Another is that you do have a rootkit and the rootkit is blocking access to the file, as you suggest.

    The easiest way to address all of these is to reboot the server with a standalone rescue disk. I'd recommend the apply named systemrescueCD, but your original OS install disk should also have a rescue mode. You should obtain the image and burn it to a disk on another system. The reboot from clean media will potentially remove any rootkits or filesystem locks.

    Once booted, run the appropriate fsck check for the filesystem type to attempt to address any errors. If you are running a raid or lvm, you'll need to recreate that manually before running the fsck. Do not mount the filesystem at this point before the fsck.

    If the fsck fails to finish, it would indicate a bad drive.

    Assuming the fsck finishes successfully (even if it had to correct some errors), you will need to mount the filesystem manually and check to see if the suspect file is still there.

    If it's gone, you most likely had a filesystem issue.

    If it's still there, you should be able to remove it with the 

    rm -f ~.b

    command.

    The thing is, if the results of these efforts seem to indicate a rootikit (not a bad drive or filesystem), you'll want to format the drive and do a full restore of the OS anyways, as you really can't be sure you've cleaned it all out.

  • Alex

    Managed to finally get it deleted.

    LD_PRELOAD="/var/silver/~.a" chattr -sia "/etc/ld.so.preload";LD_PRELOAD="/var/silver/~.a" rm "/etc/ld.so.preload"

    And then did a chattr -sia on the folder and deleted it.


    • Related Question

    osx - Delete all files in a folder without deleting directories? (OS X)
  • Mk12

    Is there a simple terminal command maybe to delete all actual data, all files but leave all the directories there? Including packages (.app) as directories?

    -- You don't need to read this: The reason why is on my iPod Touch, whenever I ssh to /private/var/mobile/Applications to get an icon or something to change for a theme, I have to look through every folder to find the application, since they're all in their unique identifier folders (e.g. 2C053638-26FE-42DD-A235-30FCBA59E623), its impossible to find it. So I copied the Applications folder to my desktop, so I could spotlight search for the application name in it and then the folder that its in would be the unique id folder on the iPod, so having it sorted the same I could easily find it.


    • Related Answers
  • David Spillett

    Are you wanting to delete just the files from the current directory, or files from sub-directories too? For the latter this would work under most unix-a-like environments

    find . -type f -print0 | xargs -0 rm -f

    or if you know there are no files or directories with spaces in their names you can simplify a little with

    find . -type f | xargs rm -f

    I'm not an Apple user so I know little of the .app directories of which you speak, but you should be able to avoid touching them by adding grep between find and xargs like 

    find . -type f | grep -v \.app | xargs rm -f

    Replace rm -f with ls or ls -l in all the above to get a list of what would be deleted instead of actually performing the delete.

  • Hai Vu

    Find can delete as well:

    $ find . -type f -exec rm {} \;

    BE CAREFUL: this command means business--it delete all files starting from the current directory without asking.

  • shellking

    open your terminal application

    (1) cd {path of the iTouch content}

      for example:  cd /Users/Mike/Desktop/myTouch

    (2) then recurse through the directories and remove content.

      find {directory} -type f | tee output

  for i in `grep -v .app output`
  do
   echo ${i}; rm ${i}
  done

    for example,

    find /Users/Mike/Documents/myTouch/ -type f | tee output

for file in `grep -v .app output`
do
 echo ${file}
 rm ${file}
done