Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 05-28-2010, 02:51 AM   #1
Registered: Feb 2005
Distribution: debian sarge
Posts: 113

Rep: Reputation: 15

Hi Folks,
Had a couple of problems with one of my leased web/mail servers, including mail was having trouble and it was reporting disk full (when a df showed it wasn't). I did a chkrootkit and got this:

Checking `ifconfig'... INFECTED
Checking `netstat'... INFECTED
Checking `pstree'... INFECTED
Checking `top'... INFECTED
Possible t0rn v8 (or variation) rootkit installed
The following suspicious files and directories were found:

Warning: Possible Showtee Rootkit installed
/usr/include/file.h /usr/include/proc.h
You have 27 process hidden for readdir command
You have 36 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed

This sounds like rather a lot of hidden processes for it to be a false positive :-(

Any advice on how to proceed would be really useful, as I have not dealt with this before (help!)

Many Thanks

Sorry - meant to say, this is a debian 5.0.1 kernel 2.6.8-3-686 ...

Last edited by unSpawn; 05-28-2010 at 10:14 AM.
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 05-28-2010, 02:27 PM   #2
Registered: Feb 2005
Distribution: debian sarge
Posts: 113

Original Poster
Rep: Reputation: 15
Got my host to do clean reinstall to new drive and copied all my data/config files over - luckily the drive had lots of errors so they did that no charge.

Thanks for listening
Old 05-28-2010, 02:40 PM   #3
LQ Veteran
Registered: Nov 2005
Location: London
Distribution: Slackware64-current
Posts: 5,836
Blog Entries: 1

Rep: Reputation: 1249Reputation: 1249Reputation: 1249Reputation: 1249Reputation: 1249Reputation: 1249Reputation: 1249Reputation: 1249Reputation: 1249
I'm no security expert, but I wouldn't trust data/config files from the infected drive.
Old 05-28-2010, 02:45 PM   #4
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Before the re-install did anybody bother to try and figure out how they got in in the first place? If not, it could very well be that the same hole is open, just waiting for the same people to exploit it again. Do you have any plan in place to look for trouble?
2 members found this post helpful.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
RAID1 - fixing a corrupted file system sheepshearer Linux - General 5 10-15-2012 04:43 AM
[SOLVED] Advice on fixing a bug in opensource project. Azazwa Programming 5 06-21-2010 12:50 PM
how to fixing file system errors in solaris?? a.toraby Solaris / OpenSolaris 6 05-26-2007 11:48 PM
Need advice on fixing a broken NTFS XP with a Linux LiveCD brjoon1021 Linux - General 1 05-05-2007 02:50 PM
Fixing File System Error on Debian Box doctorcisco Linux - Software 0 05-21-2004 03:36 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:21 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration