Find the answer to your Linux question:
Results 1 to 5 of 5
Hello, I have a question about a rootkit, actually the one my friends business has. For certain reasons he does not want to reinstall the software, and he was dumb ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2005
    Posts
    65

    I have root kit


    Hello,
    I have a question about a rootkit, actually the one my friends business has. For certain reasons he does not want to reinstall the software, and he was dumb and didnt have a backup. He lives 200 miles away and I set up the server for him a long time ago. He does not know much about Linux the box just sits there and does what he needs. IF any changes need to be made I SSH into it and do whatever. Since I cant get access to the machine, I need to take care of this the hard way.

    I know he has a rootkit, because he has some tools like 'ls' that are working strangly, and the root password changed on its own. How can I find what tools have been corrupted? Also how can I find the rootkit source code? Is there a certain directory it is stored in? of will a find or grep command beable to find it with certain key words? he has taken it off line and I can SSH to it from a different machine on his network. I will be going there in about 6 weeks to run a root kit detection tool on it, but I want to check and see the extent of the damage and to learn for myself more about root kits.

    Please help however you can.
    Thanks,
    Art

  2. #2
    Linux Engineer
    Join Date
    Mar 2005
    Location
    Where my hat is
    Posts
    766
    Hopefully he's taken the machine off line and will not put it back on line until it's fixed.

    There's no sure fire way of knowing that you've cleaned up the machine. The only way to ensure that you have a clean machine is to wipe out the partitions, format the drives and reinstall the OS.
    Registered Linux user #384279
    Vector Linux SOHO 7

  3. #3
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    Location
    London, England
    Posts
    471
    you can use a program called chkrootkit, you can get it here
    http://freshmeat.net/redir/chkrootki...rootkit.tar.gz

    it checks your binaries for rootkit modifications
    http://web01.slackhost.net/~admin74/...chkrootkit.png
    and then checks for the existance of any worms or rootkits
    http://web01.slackhost.net/~admin74/...hkrootkit1.png

    with that you can find out exactly what it is you have and act accordingly, it's also usefull to have for being proactive about security

  4. #4
    Just Joined!
    Join Date
    Feb 2004
    Location
    Indonesia
    Posts
    84
    this happened to me 1 months ago and this forum give some good information, but if you infected by suckit rootkit i have a link that maybe you can try it

    http://www.soohrt.org/stuff/linux/suckit use rkhunter and combine it with chkrootkit, download the latest version.

    similiar symtomps like ls, ps, netstat, pstree, find, locate is compromised binary

    hope this help

  5. #5
    Linux Newbie
    Join Date
    Sep 2003
    Location
    St.Charles, Missouri, USA
    Posts
    201
    maybe for the gentoo users among us you could run (in a chroot) emerge world a few times and recompile everything.
    Powered by Gentoo
    never ever ever use the hardened option in make.conf!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •