Hi Folks,
Had a couple of problems with one of my leased web/mail servers, including mail was having trouble and it was reporting disk full (when a df showed it wasn't). I did a chkrootkit and got this:
Checking `ifconfig'... INFECTED
Checking `netstat'... INFECTED
Checking `pstree'... INFECTED
Checking `top'... INFECTED
Possible t0rn v8 (or variation) rootkit installed
The following suspicious files and directories were found:
/lib/init/rw/.ramfs
Warning: Possible Showtee Rootkit installed
/usr/include/file.h /usr/include/proc.h
You have 27 process hidden for readdir command
You have 36 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
This sounds like rather a lot of hidden processes for it to be a false positive :-(
Any advice on how to proceed would be really useful, as I have not dealt with this before (help!)
Many Thanks
Sorry - meant to say, this is a debian 5.0.1 kernel 2.6.8-3-686 ...
Last edited by unSpawn; 05-28-2010 at 10:14 AM.
|