malware setting files as immutable or append only

0001-01-01

Some malware on Linux and Unix-like systems will set immutable or append only filesystem attributes on their files to make them harder for a systems administrator, incident responder, or configuration management software to remove, thus enabling their malware to persist.

This is typically done with the chattr command:

chattr +i /path/to/file #### sets file as immutable chattr +a /path/to/file #### sets file to append only

chattr -i /path/to/file #### removes immutable attribute from file chattr -a /path/to/file #### removes append only attribute from file

It may be a good idea to monitor the use of the chattr command, especially when used on files previously seen in malware samples.


Links to this note