Yeah! I got Rooted!? If that sounds strange to be excited about, it means that I have a reason to really learn about security

The only evidence I've had was that nmap kept on reporting more ports in particular were closed. Many of them were trojan-like.

The server itself has a very strict iptable scheme...only allows ssh from a high port from a single computer, however port 80 may have been the entry point.

I read an old article about several rootkits and what they do. I didn't bother doing forensics since the server is for now a testing LAMP server. Wipe to metal and start again...

However, this has been a beast for me to clean. Wiping the partitions and or erasing the data on each partition didn't do it, even when taking the box "behind closed doors". I just ran a knoppix shred on it, that *should* do the trick.

Am I correct in my assumptions that something nasty was trying to get out?

I've read about LKMs being a key for installing a rootkit...is there a way to disable LKMs in Linux?

Nmap uses its own port mapping "database" similar to /etc/services. Unless you (or Nmap) interrogates a specific port to get a specific response there is no telling what's listening there. I could for instance have SSH listening on ports 23, 135, 136, 137, 1024, 31337...


"Only allow in" means no outbound filtering? And "port 80 may have been" means you ran a vulnerable application on that port?


Didn't do what exactly?


Well, then it all ends there. W/o "evidence" anything else will be just speculation.


To that I usually say "don't assume, make certain" but since you collected no "evidence"...


For servers that run unattended and don't see much module loading it would be possible, I mean, you could build a monolithic kernel and I used to take away capabilities (GRSecurity can do the same) but all in all it's a hassle for workstations. However I think focussing on the LKM thing is a waste of time in your case since you most likely didn't harden the box properly in the first place, right?