Some malware on Linux and Unix-like systems will set immutable or append only filesystem attributes on their files to make them harder for a systems administrator, incident responder, or configuration management software to remove, thus enabling their malware to persist.
This is typically done with the chattr command:
chattr +i /path/to/file #### sets file as immutable chattr +a /path/to/file #### sets file to append only
chattr -i /path/to/file #### removes immutable attribute from file chattr -a /path/to/file #### removes append only attribute from file
It may be a good idea to monitor the use of the chattr command, especially when used on files previously seen in malware samples.