Find the answer to your Linux question:
Results 1 to 3 of 3
Good morning, My server was running very poorly for a couple of days with mysqld chewing up lots of resources. Then last night it really started to grind, and I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2013
    Posts
    2

    Rootkit Detection and Removal


    Good morning,

    My server was running very poorly for a couple of days with mysqld chewing up lots of resources. Then last night it really started to grind, and I was having a hard time even getting commands to run in the console. Top showed 98.7% CPU usage and tons of apache threads. My first thought was 'hacked', so I started running rkhunter, chkrootkit, and clam. All of those checks came back with multiple positives. I started trying to remove the infections and quickly realized that I'm in over my head with this one. Please allow me to say thanks in advance for any assistance with this, and if I need to provide any additional information.

    Here are my versions:
    Code:
    CentOS release 5.8 (Final)
    Rootkit Hunter 1.4.0
    chkrootkit version 0.49
    ClamAV 0.97.7/17028/Wed Apr 17 04:35:04 2013
    I'm getting an error trying to post my rkhunter -c log

    Code:
    You are only allowed to post URLs to other sites after you have made 15 posts or more.
    Attached Files Attached Files

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,558
    The scan indicates a number of key system executables that have write permissions enabled for all users. These are the vectors that are the likely means for the noted rootkits to possibly infect the system. The only one that really seems to be real is the SHV5 kit, at least from my quick visual scan of your log file. The other issues are the noted hidden files. These are not normal ones. That said, I'm not sure how to remove the rootkit(s) mentioned, other than taking the system off line, removing and reinstalling the infected or questionable files, removing the hidden files if they are not supposed to be on the system.

    So, first shut down Apache (and Tomcat, et al), take the system offline (physically disconnect from the network and connect directly with a terminal or console). Then, terminate all running programs that are not necessary - get to a bare-bones system. Next remove user write permissions from the files so noted in the log and reinstall all the executables that have been shown to be replaced with scripts. You may need to get these modules from an installation or live CD/DVD drive.

    After thinking more about all this, it may be easier to take the system offline as mentioned above, backup your Apache and other necessary data, wipe the system clean, and reinstall from known good media. Then, before restoring your backed up data, scan it for viruses, especially verifying that your web pages have not been modified by outside sources.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    Just Joined!
    Join Date
    Apr 2013
    Posts
    2
    I've tried my best to get this thing cleaned up, but no luck. Since I'm going to be moving to a newer server in the next couple of weeks, the verdict is to make backups and restore them to the new box.

    Thanks for the help!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •