LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-03-2007, 07:21 PM   #1
I_AM
Member
 
Registered: Mar 2005
Posts: 103

Rep: Reputation: 15
hacked


See screen shot. How do I correct this without having to go through the whole o/s reload and headaches?

http://img518.imageshack.us/img518/1445/vps1am4.gif
http://img466.imageshack.us/img466/7623/vps2ea0.gif

I have a VPS with Interworx panel. The above is rkhunter results. Chkrootkit showed nothing
 
Old 01-03-2007, 07:48 PM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Backup all your data and reinstall. There's no way to get an "untrusted" system back to "trusted" other than reinstalling the OS from scratch. Carefully examine all the data you backed up before restoring it to the new OS. In particular, check for any scripts, binary executables, or any other type of information that could be read through some kind of command interpreter. Once the system is compromised, every piece of information is suspect.
 
Old 01-03-2007, 08:10 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
While I too favour serving up ultimate worst-case scenario steps immediately I would suggest first finding out how the damage ocurred. Have a look at the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html.
 
Old 01-05-2007, 05:35 AM   #4
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: Slackware, Termux
Posts: 928

Rep: Reputation: 343Reputation: 343Reputation: 343Reputation: 343
Quote:
Originally Posted by I_AM
That shows something changed, eg., something new was install, stripped, etc. It does not, in itself, mean you're done in.

Since the supposedly affected binaries are of the kernel modules tools, I'd say someone upgraded the module init tools and forgot about it (or stripped them.) There's also 3 kill's (in coreutils, util-linux, procps ) running around the linux community that I know of right now, depending on what rkhunter is using as it's criteria, it may be being confused by this.

The only thing the above shows for sure is you need to look around a bit more.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
help, I've been hacked lababidi Linux - Security 4 07-28-2005 05:09 PM
been hacked.. now what? viniosity Linux - Security 1 07-12-2005 08:26 PM
hacked! I_AM Linux - Security 5 06-09-2005 06:26 PM
Have I been HACKED?? fenice1976 Linux - Software 3 07-05-2004 09:00 PM
Got Hacked - What can I do? cli_man Linux - Security 5 12-22-2003 06:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration