LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Debian (https://www.linuxquestions.org/questions/debian-26/)
-   -   Server is infected with rootkit or something (https://www.linuxquestions.org/questions/debian-26/server-is-infected-with-rootkit-or-something-908006/)

rewesh 10-13-2011 01:51 PM
Server is infected with rootkit or something
 
1 Attachment(s)
My system is infected with a rootkit or something and i trying to find the source of the infection but i can not. I though by doing an upgrade from etch to lenny will help, however the process is halted by an error to upgrade Mysql which i do not want to update for he moment. I found this bot file attached in the tmp folder. i had to put .txt so i can attach it

craigevil 10-13-2011 02:10 PM
Did you run rkhunter and/or chkrootkit?

If there is a rootkit upgrading isn't going to get rid of it.

If you are still running Etch not really surprising that it has a rootkit since support for it stopped in Feb.

rewesh 10-13-2011 02:12 PM
yes i run both of them and they detect nothing, i am running mix system now etch+lenny

Hungry ghost 10-13-2011 02:14 PM
Since it's a security issue, I would suggest you to report your own post and ask a moderator to move it to the Security section of the forum (you'll probably find more help about this specific problem there). After you've got help from the folks at the security section, you will probably want to install something newer, like Debian Squeeze (with new passwords, of course). Debian lenny is still too old, and this could pose a security risk.

Regards.

Dutch Master 10-13-2011 03:27 PM
First thing you do is pull the plug. Not shutdown or power down, just pull the plug! Remove the harddrive(s) then use a separate machine (no network connectivity!) and a live-cd to create a copy of the disk. Work on the copy to find a cure, once you found it you can cleanse out the original disk(s). Make sure any data you rescue from the infected drive(s) is thoroughly checked by the updated rootkit scanner available from the rescue cd.

Anyway, your security system is compromised, so you'd really need to rethink your strategy on that and find the source of the infection to make sure it'll never happen again. The most common cause is ignorant users or compromised updates. As said, Lenny is quite old so you really must upgrade to Squeeze now.

I also concur to have the post moved to the Security area of LQ, with much better experts then I'll ever be ;)

ring0 10-14-2011 04:57 AM
I scanned the file with avast online scanner http://onlinescan.avast.com/ and reports it as Perl:Shellbot-T [Trj].After googling i found this http://www.anchiva.com/virus/view.as...erl.Shellbot.a, it is an irc bot.

TobiSGD 10-14-2011 06:17 AM
Duplicate of http://www.linuxquestions.org/questi...ething-908008/

unSpawn 10-14-2011 10:32 AM
This thread is being closed because it is a duplicate. Please continue here: http://www.linuxquestions.org/questi...ething-908008/.


All times are GMT -5. The time now is 12:31 AM.