Server is infected with rootkit or something

rewesh · 10-13-2011, 01:51 PM

My system is infected with a rootkit or something and i trying to find the source of the infection but i can not. I though by doing an upgrade from etch to lenny will help, however the process is halted by an error to upgrade Mysql which i do not want to update for he moment. I found this bot file attached in the tmp folder. i had to put .txt so i can attach it

craigevil · 10-13-2011, 02:10 PM

Did you run rkhunter and/or chkrootkit?

If there is a rootkit upgrading isn't going to get rid of it.

If you are still running Etch not really surprising that it has a rootkit since support for it stopped in Feb.

rewesh · 10-13-2011, 02:12 PM

yes i run both of them and they detect nothing, i am running mix system now etch+lenny

Hungry ghost · 10-13-2011, 02:14 PM

Since it's a security issue, I would suggest you to report your own post and ask a moderator to move it to the Security section of the forum (you'll probably find more help about this specific problem there). After you've got help from the folks at the security section, you will probably want to install something newer, like Debian Squeeze (with new passwords, of course). Debian lenny is still too old, and this could pose a security risk.

Regards.

Dutch Master · 10-13-2011, 03:27 PM

First thing you do is pull the plug. Not shutdown or power down, just pull the plug! Remove the harddrive(s) then use a separate machine (no network connectivity!) and a live-cd to create a copy of the disk. Work on the copy to find a cure, once you found it you can cleanse out the original disk(s). Make sure any data you rescue from the infected drive(s) is thoroughly checked by the updated rootkit scanner available from the rescue cd.

Anyway, your security system is compromised, so you'd really need to rethink your strategy on that and find the source of the infection to make sure it'll never happen again. The most common cause is ignorant users or compromised updates. As said, Lenny is quite old so you really must upgrade to Squeeze now.

I also concur to have the post moved to the Security area of LQ, with much better experts then I'll ever be

ring0 · 10-14-2011, 04:57 AM

I scanned the file with avast online scanner http://onlinescan.avast.com/ and reports it as Perl:Shellbot-T [Trj].After googling i found this http://www.anchiva.com/virus/view.as...erl.Shellbot.a, it is an irc bot.

TobiSGD · 10-14-2011, 06:17 AM

Duplicate of http://www.linuxquestions.org/questi...ething-908008/

unSpawn · 10-14-2011, 10:32 AM

This thread is being closed because it is a duplicate. Please continue here: http://www.linuxquestions.org/questi...ething-908008/.