If you are being attacked or infected by malware which uses chattr, I suggest you create a wrapper around (or replace) chattr and log the events.

For example, I once was tracking malware which used curl, so I replaced curl with this:

Code:

cat /usr/bin/curl
#!/bin/sh
/usr/bin/php  /usr/bin/mystuff.php  $@

Code:

cat  /usr/bin/mystuff.php
<?php
error_reporting(0);
//$ip = $_SERVER['REMOTE_ADDR'];
$ip = '';
$script = '';
$url = '';
if(isset($_SERVER) AND FALSE)
{
$script = $_SERVER['SCRIPT_FILENAME'];
$url  = $_SERVER['REQUEST_URI'];
}
$arg = json_encode($argv);
//error_log(date(DATE_RFC822)." ARGV ".$arg.' SCRIPT '.$script.' URI '.$url. "\n", 3, '/var/log/debug/my_hack_tripper_upper2.log');
error_log(date(DATE_RFC822)." ARGV ".$arg."\n", 3, '/var/log/debugger/my_hack_tripper_upper.log');

?>

The reason for this is I want to know deeper what is going on when someone has managed to inject some malware onto a server. So, normally, if I find out the malware uses curl or chattr, for example, I will write a wrapper and log processes like in the example above.

If you follow the "anti malware instructions" they want you to kill everything and start deleting files.

I find it better to "trap and trace" before deleting and killing; especially if you are not running a process which is so critical that the malware is really doing major harm (at the time of discovery).

We used to call this strategy, which I developed in cyber defense two decades ago, as "the blackhole strategy" which means to use information to your advantage and not let any hackers know you are on to them.

In your case, I do not know the criticality of your server, but if it was me; I would write a wrapper which logs as much information as I could and track down the processes which might be calling your process, etc.


In the case of my example code above, I do not exec curl because I already tracked down the malware and finished my analysis and, so I did not not need the binary wrapper, but only logging.

And so, since I do not require curl every day (and a lot of malware uses curl to download other malware), I simply log every time curl is called; and if I need curl in the shell I call it from some obscure name like "neos_curl" which is curl just copied to neo_curl.

You can consider the same or similar strategy for chattr.

In my long-in-the-tooth view of cyber defense, it is best to log, trap and trace hacker and malware versus just deleting and cleaning up quickly. You can gain a lot of knowledge about the malware if you trap and trace the processes, log the traps and traces, all without disrupting the malware process (or you can disrupt if it your risk mitigation policy dictates you must).

You can wrap and log or just log (as in the example above).

Cyber defense is a lot like kung fu - do not let your emotions or fear or anger control the situation. Use logic and the actions of the malware against the malware, keeping your cool and calm, to understand and defeat the malware, on your terms. As for me, I find anger, fear and emotional outbursts a sign of weakness (not strength). In cyber defense, you are in control. Trap and trace the malware and you can know how and when (and from where and perhaps who) it effects your system.

Hope that bit of knowledge was useful.

Cheers.