I have a CentOS server.It has been hasked.There are some malicious file under "/", like "/11db32e5", the AV scanner say it is a "HackTool/Linux.CoinMiner.n". But i cannot delete the file with "rm -rf". I am the root, uid is 0.
I have tried:
- lsattr, there is no "i" or "a".
- lsof /11db32e5, there is no process opening it.
- The owner and group of the file are both "root".
- I can run "cat /dev/null > /11db32e5", and the size of the file is 0. But i can not delete it.
- I make a new dir under "/" with named "/test", and make a file under "/test" with named "test2". Then I can delete "test2", but i can not delete "/test" which is under "/".
- So i think i can not delete anything under "/", but i can change the content of them.
- The privilege of "/" mount is "rw".
- I use "strace" to find the different of "rm -rf" of the malicious file and the regular file which i can delete.
The difference are: enter image description here
