rootkit infected

[retired1af]

Can't take it off line? Very irresponsible.

There are no guarantees that your system is clean, even after running packaged programs that supposedly clean your PC.

As Flatline already stated earlier in this thread, the ONLY way you will know you have a clean installation is to repartition, reformat, and reinstall the system. Period. To do anything else is just plain, well, for lack of a better word, stupid.

[kamtono]

take it easy retired1af this server i manage is running some small webshoting
of course i can't offline for a while (i can get more angry from customers)

but i found that binary suckit rootkit on mine is under
/usr/X11R6/bin/.httpd/

hey i found it after do
#locate sniffer
/usr/X11R6/bin/.httpd/.sniffer

you may try this link i found http://hepwww.rl.ac.uk/sysman/april2...dentReport.ppt
cause google is very kind you may try this HTML page
http://64.233.183.104/search?q=cache...ient=firefox-a
or just typeremove suckit rootkit on query

thanks for your support

[retired1af]

How do you know that the kit isn't the only thing on there? Blunt answer. You don't. Your system has been compromised. And I guarantee your customers will be far more upset and angry if they knew you were running a compromised box.

[adam7979]

save your time to do the 3R instead of searching around for solution,
use a new root password after you've re-installed your system,
remember to update your system frequently with latest patches from the distro vendor,
stop using root account with plain text protocol like telnet, pop3, smtp, etc...
firewall your box properly,
and, disable those unnecessary services to minimize the chances of being hacked.

good luck

[dark_lord_kodd]

How would you tell if you have been infected by such a rootkit?

[Krendoshazin]

How would you tell if you have been infected by such a rootkit?

you can use a program called chkrootkit, you can get it here
http://freshmeat.net/redir/chkrootki...rootkit.tar.gz

it checks your binaries for rootkit modifications
http://web01.slackhost.net/~admin74/...chkrootkit.png
and then checks for the existance of any worms or rootkits
http://web01.slackhost.net/~admin74/...hkrootkit1.png

[Salient]

Rootkit Hunter is another good one.
http://www.rootkit.nl/projects/rootkit_hunter.htm

Detection List:

55808 Trojan - Variant A
ADM W0rm
AjaKit
aPa Kit
Apache Worm
Ambient (ark) Rootkit
Balaur Rootkit
BeastKit
beX2
BOBKit
CiNIK Worm (Slapper.B variant)
Danny-Boy's Abuse Kit
Devil RootKit
Dica
Dreams Rootkit
Duarawkz Rootkit
Flea Linux Rootkit
FreeBSD Rootkit
****`it Rootkit
GasKit
Heroin LKM
HjC Rootkit
ignoKit
ImperalsS-FBRK
Irix Rootkit
Kitko
Knark
Li0n Worm
Lockit / LJK2
mod_rootme (Apache backdoor)
MRK
Ni0 Rootkit
NSDAP (RootKit for SunOS)
Optic Kit (Tux)
Oz Rootkit
Portacelo
R3dstorm Toolkit
RH-Sharpe's rootkit
RSHA's rootkit
Scalper Worm
Shutdown
SHV4 Rootkit
SHV5 Rootkit
Sin Rootkit
Slapper
Sneakin Rootkit
Suckit
SunOS Rootkit
Superkit
TBD (Telnet BackDoor)
TeLeKiT
T0rn Rootkit
Trojanit Kit
URK (Universal RootKit)
VcKit
Volc Rootkit
X-Org SunOS Rootkit
zaRwT.KiT Rootkit

and... some known/unknown sniffers, backdoors like:
Anti Anti-sniffer
LuCe LKM
THC Backdoor

[jnetsky]

good info, thanks!