Results 1 to 2 of 2
Hi.
We have reason to believe an online server we have has been comprised and a rootkit installed. When we run chkproc from chkrootkit we get:
# ./chkproc -v
PID ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 12-21-2007 #1Just Joined!
- Join Date
- Dec 2007
- Posts
- 1
Rootkit detection - hidden processes
Hi.
We have reason to believe an online server we have has been comprised and a rootkit installed. When we run chkproc from chkrootkit we get:
# ./chkproc -v
PID 1105(/proc/1105): not in getpriority readdir output
PID 1116(/proc/1116): not in getpriority readdir output
You have 2 process hidden for readdir command
How do we go about finding about more about these hidden processes? and removing them.
Any advice welcome.
Kind regards,
Andrew.
- 12-31-2007 #2Linux Guru
- Join Date
- Mar 2005
- Location
- Texas
- Posts
- 1,692
Use lsof to track processes and what they're doing with files on the system. That may prove to be interesting.
As for the possibly compromised box:
You can run chkrootkit and rkhunter (preferably from a live cd, since your box is suspect) to look for traces of a rootkit. Unfortunately, it is not possible to positively prove that a rootkit is gone once it has been installed. Your best option is to reformat and reinstall the OS, period.
For "at risk" boxes like this you should be running a HIDS (e.g. aide) so that you're immediately aware when something strange occurs with binaries, libraries, etc. on your system.
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
