Hi Folks,
Had a couple of problems with one of my leased web/mail servers, including mail was having trouble and it was reporting disk full (when a df showed it wasn't). I did a chkrootkit and got this: Checking `ifconfig'... INFECTED Checking `netstat'... INFECTED Checking `pstree'... INFECTED Checking `top'... INFECTED Possible t0rn v8 (or variation) rootkit installed The following suspicious files and directories were found: /lib/init/rw/.ramfs Warning: Possible Showtee Rootkit installed /usr/include/file.h /usr/include/proc.h You have 27 process hidden for readdir command You have 36 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed This sounds like rather a lot of hidden processes for it to be a false positive :-( Any advice on how to proceed would be really useful, as I have not dealt with this before (help!) Many Thanks Sorry - meant to say, this is a debian 5.0.1 kernel 2.6.8-3-686 ... |
Got my host to do clean reinstall to new drive and copied all my data/config files over - luckily the drive had lots of errors so they did that no charge.
Thanks for listening |
I'm no security expert, but I wouldn't trust data/config files from the infected drive.
|
Before the re-install did anybody bother to try and figure out how they got in in the first place? If not, it could very well be that the same hole is open, just waiting for the same people to exploit it again. Do you have any plan in place to look for trouble?
|
All times are GMT -5. The time now is 11:22 AM. |