Find the answer to your Linux question:
Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 11 to 20 of 23
All of the postmortems can be helpful, but as long as you realise that's what these are - The server is effectively dead now to you. I wouldn't try getting ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,127

    All of the postmortems can be helpful, but as long as you realise that's what these are - The server is effectively dead now to you. I wouldn't try getting it back up, just retrieve the data you need to and then format/reinstall. It's rare a box gets hit but once it is it's a write-off.

  2. #12
    Just Joined!
    Join Date
    Jul 2005
    Location
    Inside the Kernel (somewhere)
    Posts
    41
    As reported, the port problem is usually a non issue.
    The md5sums can, or can not be a non issue as well. I've run into times when rkhunter reports these as bad, even on my own servers when there are no problems at all. At this point, you want to
    A> make sure that rkhunter is up to date.
    B> check /dev/ for suspicious files. Especially, check out /dev/shm .
    C> Update your OS . Use yum, make sure everything is completely and totally updated.

    Just out of curiosity, is this a CPanel server with /tmp "security" is it? That can also cause the false alarm for /dev/

  3. #13
    Linux Guru kkubasik's Avatar
    Join Date
    Mar 2004
    Location
    Lat: 39:03:51N Lon: 77:14:37W
    Posts
    2,396
    the md5sums are checking to make sure that someone hasn't replaced /bin/ls with a maliscous program. The problem with this is, certain untilities (namely prelink) modify the binary and as a result, the md5sum is off. You can rebuild/reinstall the program, and that should refresh the md5 hash.
    Avoid the Gates of Hell. Use Linux
    A Penny for your Thoughts

    Formerly Known as qub333

  4. #14
    Linux Engineer
    Join Date
    Mar 2005
    Location
    Where my hat is
    Posts
    766
    Reformat and reinstall. That will be the ONLY way to ensure you are clean.
    Registered Linux user #384279
    Vector Linux SOHO 7

  5. #15
    Just Joined!
    Join Date
    Jul 2005
    Location
    Inside the Kernel (somewhere)
    Posts
    41
    Quote Originally Posted by retired1af
    Reformat and reinstall. That will be the ONLY way to ensure you are clean.
    That's a bit of an exaggeration here. In this case, there's no proof of actual hack. The md5s can be easily screwed up, and the port thing is completely innocent. If the /dev/ stuff is related to CPanel, then there's nothing wrong at all here

  6. #16
    Linux Guru loft306's Avatar
    Join Date
    Oct 2003
    Location
    The DairyLand
    Posts
    1,666
    Quote Originally Posted by retired1af
    Reformat and reinstall. That will be the ONLY way to ensure you are clean.
    that is a bit over the top if you ask me! just find the offending jusk and 'rm' it, unless you need super high security! then start over
    ~Mike ~~~ Forum Rules
    Testing? What's that? If it compiles, it is good, if it boots up, it is perfect. ~ Linus Torvalds
    http://loft306.org

  7. #17
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    It depends on how critical the machine is and what level of risk he is comfortable with. Investigating, backing up the data and rebuilding the machine is the only sure thing.

    If my credit card numbers, for example, were on his machine I would hope he would have the sense to take the lowest risk approach.

  8. #18
    Just Joined!
    Join Date
    Jul 2005
    Location
    Inside the Kernel (somewhere)
    Posts
    41
    Again, taking this approach is good, IF the server's been fully hacked, but, see, there's no proof it has here, at least yet.
    The errors that you're seeing through rkhunter are very common errors, especially on CPanel servers, which this individual does have it looks like (judging by looking @ the snippet of logs he showed). While rkhunter is good, it's not the best at determining things, and it's even worse when you've updated IT or your OS.

  9. #19
    Linux Newbie
    Join Date
    Jul 2005
    Location
    ~/home
    Posts
    105
    you can always check the dates of your suspicious programms (ls -l)
    if they are to new, you can be shure you are hacked.
    Help me getting a Opera licence
    Beginning with debian? -> read THIS!

  10. #20
    Just Joined!
    Join Date
    Jul 2005
    Location
    Inside the Kernel (somewhere)
    Posts
    41
    Not always true
    Say, for example that the rpm which provided ls was updated for some reason. If you're using yum or up2date, then your binary will be updated as well, which means that you're going to see this reflected in the modification date. It's entirely possible for a modified date to be completely harmless

Page 2 of 3 FirstFirst 1 2 3 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •