I have root kit
I have a question about a rootkit, actually the one my friends business has. For certain reasons he does not want to reinstall the software, and he was dumb and didnt have a backup. He lives 200 miles away and I set up the server for him a long time ago. He does not know much about Linux the box just sits there and does what he needs. IF any changes need to be made I SSH into it and do whatever. Since I cant get access to the machine, I need to take care of this the hard way.
I know he has a rootkit, because he has some tools like 'ls' that are working strangly, and the root password changed on its own. How can I find what tools have been corrupted? Also how can I find the rootkit source code? Is there a certain directory it is stored in? of will a find or grep command beable to find it with certain key words? he has taken it off line and I can SSH to it from a different machine on his network. I will be going there in about 6 weeks to run a root kit detection tool on it, but I want to check and see the extent of the damage and to learn for myself more about root kits.
Please help however you can.
Hopefully he's taken the machine off line and will not put it back on line until it's fixed.
There's no sure fire way of knowing that you've cleaned up the machine. The only way to ensure that you have a clean machine is to wipe out the partitions, format the drives and reinstall the OS.
you can use a program called chkrootkit, you can get it here
it checks your binaries for rootkit modifications
and then checks for the existance of any worms or rootkits
with that you can find out exactly what it is you have and act accordingly, it's also usefull to have for being proactive about security
this happened to me 1 months ago and this forum give some good information, but if you infected by suckit rootkit i have a link that maybe you can try it
http://www.soohrt.org/stuff/linux/suckit use rkhunter and combine it with chkrootkit, download the latest version.
similiar symtomps like ls, ps, netstat, pstree, find, locate is compromised binary
hope this help
maybe for the gentoo users among us you could run (in a chroot) emerge world a few times and recompile everything.