Obviously if I knew a lot about linux I wouldn't be here.
I should make it clear I didn't intend to belittle you or question your level of knowledge.
What I care for and am concerned with in these type of cases, is people doing what they think would be "the right thing" which would either 1. not correct the situation in a "proper" way, 2. continue to pose a threat to the (local|inter)network or even worse 3. continue operating a clearly malfuctioning box by "patching up". In general (so may not apply to your case) when what people post looks like dodging responsabilities, stalling or loosing focus I try to "correct" their POV.
That is why I'm in this position today.
And I assure you we'll do anything in our power to help you.
I've come to realize that the only thing for me to do is to backup what I can and reformat.
Yes. Don't backup binaries. Since this is an infected (thus "untrusted") box, make sure backups don't mix with any other. Clearly mark them as "suspect", and move to a safe place. When the time comes to restore configs and data, restore to a safe place, and inspect each config manually.
I should have made it more clear that I plan to install antivirus software after the clean install. I'm just looking for some suggestions/comments.
From the LQ FAQ: Security references
, post #3 "Viruses on Linux/GNU, Antivirus software":
"Sendmail, Tcpdump, OpenSSH, TCP Wrappers, Aide and some other projects have suffered from people succeeding to inject malicious code, and of those only Sendmail and OpenSSH where at main servers, the rest where mirrors AFAIK. Even though all the apps mentioned are safe to use, and the differences where noted soon, the real problem is you I. have to have the knowledge to read code, and II. the discipline to read the code each time and question any diffs or III. have minimal "protection" in place to cope with like rogue compiled apps "phoning home". Which in essence means to end users any SW provided w/o means to verify integrity of the code and the package should be treated with care, instead of accepting it w/o questioning.
As for the "virus" thingie I wish we, as a Linux community, try to "convert" people away from the typical troubles of Pitiful Operating Systems (abbrev.: POS, aka the MICROS~1 Game Platform) and direct them towards what's important to know wrt Linux: user/filesystem permissions, b0rken/suid/sgid software, worms, trojans and rootkits.
Basic measures should be:
- Using (demanding) source verification tru GPG or minimally md5sums,
- Watch system integrity (Aide, Samhain, Tripwire or any package mgr that can do verification: save those databases off-site, also see Tiger, Chkrootkit),
- Harden your systems by not installing SW you don't need *now*, denying access where not needed and using tools like Bastille-linux, tips from Astaro,
- Patch kernel to protect looking at/writing to crucial /proc and /dev entries and/or use ACL's (see Silvio Cesare's site, Grsecurity, LIDS),
- Watch general/distro security bulletins and don't delay taking action (Slapper, Li0n etc),
- Keep an eye on outgoing traffic (egress logging and filtering),
- Don't compile apps as root but as a non-privileged user,
- Inspect the code if you can,
- Don't use Linux warez,
But most of all: use common sense.
*If you're still not satisfied you've covered it all you could arm yourself with knowledge on forensics stuff like UML, chrooting, disassembly and honeypots.
If you want to find Antivirus software, Google the net for Central Command, Sophos, Mcafee, Kaspersky, H+BEDV, Trend Micro, Frisk, RAV, Clam, Amavis, Spam Assassin, Renattach, Ripmime, Milter or Inflex.
- AV SW is as good as it's signatures/heuristics. Some vendors don't update their Linux sig db's very well, or field SW with lacking capabilities. I've tested some (admittedly a long time ago) on my virus/trojan/LRK/malware libs. Bad (IMHO): Frisk's F-Prot (sigs), Clam (sigs), H+BEDV (libc version). Good (IMNSHO): Mcafee's uvscan (best) and RAV (2nd). Please do test yourself.
- AFAIK only KAV (Kaspersky) has a realtime scanner daemon. I'm in limbo about it's compatibility with recent kernels tho.
Links to check out:
LAVP/Mini-FAQ Linux/Unix AV SW
(list of AV vendors),