I have root kit

**baysidelinux** · 05-17-2005

Hello,
I have a question about a rootkit, actually the one my friends business has. For certain reasons he does not want to reinstall the software, and he was dumb and didnt have a backup. He lives 200 miles away and I set up the server for him a long time ago. He does not know much about Linux the box just sits there and does what he needs. IF any changes need to be made I SSH into it and do whatever. Since I cant get access to the machine, I need to take care of this the hard way.

I know he has a rootkit, because he has some tools like 'ls' that are working strangly, and the root password changed on its own. How can I find what tools have been corrupted? Also how can I find the rootkit source code? Is there a certain directory it is stored in? of will a find or grep command beable to find it with certain key words? he has taken it off line and I can SSH to it from a different machine on his network. I will be going there in about 6 weeks to run a root kit detection tool on it, but I want to check and see the extent of the damage and to learn for myself more about root kits.

Please help however you can.
Thanks,
Art

**retired1af** · 05-17-2005

Hopefully he's taken the machine off line and will not put it back on line until it's fixed.

There's no sure fire way of knowing that you've cleaned up the machine. The only way to ensure that you have a clean machine is to wipe out the partitions, format the drives and reinstall the OS.

**Krendoshazin** · 05-18-2005

you can use a program called chkrootkit, you can get it here
http://freshmeat.net/redir/chkrootki...rootkit.tar.gz

it checks your binaries for rootkit modifications
http://web01.slackhost.net/~admin74/...chkrootkit.png
and then checks for the existance of any worms or rootkits
http://web01.slackhost.net/~admin74/...hkrootkit1.png

with that you can find out exactly what it is you have and act accordingly, it's also usefull to have for being proactive about security

**kamtono** · 05-18-2005

this happened to me 1 months ago and this forum give some good information, but if you infected by suckit rootkit i have a link that maybe you can try it

http://www.soohrt.org/stuff/linux/suckit use rkhunter and combine it with chkrootkit, download the latest version.

similiar symtomps like ls, ps, netstat, pstree, find, locate is compromised binary

hope this help

**gwalters** · 05-18-2005

maybe for the gentoo users among us you could run (in a chroot) emerge world a few times and recompile everything.

Thread Tools

Display

I have root kit

Posting Permissions