Results 1 to 2 of 2
Hi. We have reason to believe an online server we have has been comprised and a rootkit installed. When we run chkproc from chkrootkit we get: # ./chkproc -v PID ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 12-21-2007 #1
- Join Date
- Dec 2007
Rootkit detection - hidden processes
We have reason to believe an online server we have has been comprised and a rootkit installed. When we run chkproc from chkrootkit we get:
# ./chkproc -v
PID 1105(/proc/1105): not in getpriority readdir output
PID 1116(/proc/1116): not in getpriority readdir output
You have 2 process hidden for readdir command
How do we go about finding about more about these hidden processes? and removing them.
Any advice welcome.
- 12-31-2007 #2
Use lsof to track processes and what they're doing with files on the system. That may prove to be interesting.
As for the possibly compromised box:
You can run chkrootkit and rkhunter (preferably from a live cd, since your box is suspect) to look for traces of a rootkit. Unfortunately, it is not possible to positively prove that a rootkit is gone once it has been installed. Your best option is to reformat and reinstall the OS, period.
For "at risk" boxes like this you should be running a HIDS (e.g. aide) so that you're immediately aware when something strange occurs with binaries, libraries, etc. on your system.