Results 1 to 4 of 4
I am running CentOS 5.3 and here is the result of "chkrootkit":
Code:
Possible t0rn v8 \(or variation\) rootkit installed
Warning: Possible Showtee Rootkit installed
/usr/include/file.h /usr/include/proc.h
Warning: `//root/.mysql_history' file ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 10-04-2012 #1Just Joined!
- Join Date
- Oct 2012
- Posts
- 1
Hacked CentOS 5 server - possible rootkit installed?
I am running CentOS 5.3 and here is the result of "chkrootkit":
I don't understand what the warnings mean.Code:Possible t0rn v8 \(or variation\) rootkit installed Warning: Possible Showtee Rootkit installed /usr/include/file.h /usr/include/proc.h Warning: `//root/.mysql_history' file size is zero INFECTED (PORTS: 465) You have 61 process hidden for readdir command You have 62 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 3040 tty2 /sbin/mingetty tty2 ! root 3041 tty3 /sbin/mingetty tty3 ! root 3042 tty4 /sbin/mingetty tty4 ! root 3043 tty5 /sbin/mingetty tty5 ! root 3046 tty6 /sbin/mingetty tty6
Is the server infected or in danger?
- 10-04-2012 #2Super Moderator
- Join Date
- Aug 2005
- Location
- Nottingham, England
- Posts
- 3,591
It certainly looks like it. If it were my server I'd take absolutely no risks. I'd offline the server, wipe it, reinstall and restore my data from backups. I also wouldn't connect the new server to the internet until I'd taken basic security measures to prevent this happening again.
Linux user #126863 - see http://linuxcounter.net/
- 10-04-2012 #3Linux Enthusiast
- Join Date
- Apr 2012
- Location
- Virginia, USA
- Posts
- 561
Google says these may be false alarms. Check with another root kit detector if you don't trust those findings.
- 10-05-2012 #4Just Joined!
- Join Date
- Aug 2009
- Posts
- 79
Then you're behind the times. CentOS is at 5.8 now. If you didn't know that then I wonder if there's more software on the machine that hasn't been updated or which other security best practices you didn't know about.
Originally Posted by dand 
Have you actually checked if the /usr/include/file.h and /usr/include/proc.h files exist and what their contents are? Originally Posted by dand
Is that file supposed to be empty? Originally Posted by dand
Have you checked what process is using that port? Originally Posted by dand
Code:lsof -Pwln -i :465 #or fuser -vn tcp 465 #or even worse netstat -antulpe|grep 465
Are you running a shared host or virtualization guest? Originally Posted by dand
This may be a false positive. See the Chkrootkit FAQ. Originally Posted by dand
Have you had any other or has this machine been cracked before? Is there anything else "odd" about this servers behavior? Is there anything else you should have mentioned?
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
