Find the answer to your Linux question:
Results 1 to 2 of 2
Hi. We have reason to believe an online server we have has been comprised and a rootkit installed. When we run chkproc from chkrootkit we get: # ./chkproc -v PID ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2007
    Posts
    1

    Rootkit detection - hidden processes


    Hi.

    We have reason to believe an online server we have has been comprised and a rootkit installed. When we run chkproc from chkrootkit we get:

    # ./chkproc -v
    PID 1105(/proc/1105): not in getpriority readdir output
    PID 1116(/proc/1116): not in getpriority readdir output
    You have 2 process hidden for readdir command

    How do we go about finding about more about these hidden processes? and removing them.

    Any advice welcome.

    Kind regards,

    Andrew.

  2. #2
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Use lsof to track processes and what they're doing with files on the system. That may prove to be interesting.

    As for the possibly compromised box:

    You can run chkrootkit and rkhunter (preferably from a live cd, since your box is suspect) to look for traces of a rootkit. Unfortunately, it is not possible to positively prove that a rootkit is gone once it has been installed. Your best option is to reformat and reinstall the OS, period.

    For "at risk" boxes like this you should be running a HIDS (e.g. aide) so that you're immediately aware when something strange occurs with binaries, libraries, etc. on your system.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •