Hacked Help

Looks like we had a hack on one of our servers. We are not sure how they did what they did but we know this:

They created a user www

They had previously compromised 5 other accounts of real users first.

They altered these /bin files (at least) so that we cannot do anything with them.

login
ls
netstat
ps

On a move of the files we get these errors:
/newbin/mv: cannot unlink `ls': Permission denied
/newbin/mv: cannot remove `ls': Permission denied

Obviously we have a clean /newbin directory pulled over.

We cannot manipulate the files as the user (one of our customers) or root. No chown, chmod, mv, rm, rm -rf nothing.

Can anyone point me to a site that may have a fix or put it here? I know I am forgetting some basic unix thing to get control of the files.

 

 

 

 

Top