In this case, I would recommend starting from scratch. Save what personal data you need (avoiding binaries where possible) and reinstall. Afterwards, set up firewall, IDS (both host-based and network), portscan detector, log watcher etc.
I wouldn't try to "recover" this installation, I would definitely rebuild from scratch, doing your build and securing from behind a firewall. --Brad ======================================================================== Bradley M. Alexander | IA Analyst, SysAdmin, Security Engineer | storm [at] tux.org Debian/GNU Linux Developer | storm [at] debian.org ======================================================================== Key fingerprints: DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 ======================================================================== Law #5: Weak passwords trump strong security. On Sat, Aug 28, 2004 at 08:56:19PM -0700, Scarletdown wrote: > Since I have been having occasional problems getting verious packages > installed or uninstalled, I decided to do a chkrootkit. The results > look rather disturbing. Is there anyway short of starting from scratch > to fix the problems that showed up? Here's the results... > > ROOTDIR is `/' > Checking `amd'... not found > Checking `basename'... not infected > Checking `biff'... not found > Checking `chfn'... not infected > Checking `chsh'... not infected > Checking `cron'... not infected > Checking `date'... not infected > Checking `du'... not infected > Checking `dirname'... not infected > Checking `echo'... not infected > Checking `egrep'... not infected > Checking `env'... not infected > Checking `find'... not infected > Checking `fingerd'... not found > Checking `gpm'... not found > Checking `grep'... not infected > Checking `hdparm'... not infected > Checking `su'... not infected > Checking `ifconfig'... INFECTED > Checking `inetd'... not infected > Checking `inetdconf'... not infected > Checking `identd'... not found > Checking `init'... not infected > Checking `killall'... not infected > Checking `ldsopreload'... not infected > Checking `login'... not infected > Checking `ls'... INFECTED > Checking `lsof'... not infected > Checking `mail'... not found > Checking `mingetty'... not found > Checking `netstat'... INFECTED > Checking `named'... not found > Checking `passwd'... not infected > Checking `pidof'... not infected > Checking `pop2'... not found > Checking `pop3'... not found > Checking `ps'... INFECTED > Checking `pstree'... INFECTED > Checking `rpcinfo'... not infected > Checking `rlogind'... not found > Checking `rshd'... not found > Checking `slogin'... not infected > Checking `sendmail'... not infected > Checking `sshd'... not infected > Checking `syslogd'... not infected > Checking `tar'... not infected > Checking `tcpd'... not infected > Checking `tcpdump'... not infected > Checking `top'... INFECTED > Checking `telnetd'... not found > Checking `timed'... not found > Checking `traceroute'... not infected > Checking `vdir'... not infected > Checking `w'... not infected > Checking `write'... not infected > Checking `aliens'... > /dev/ttyop /dev/ttyoa > Searching for sniffer's logs, it may take a while... nothing found > Searching for HiDrootkit's default dir... nothing found > Searching for t0rn's default files and dirs... nothing found > Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) > rootkit installed > Searching for Lion Worm default files and dirs... nothing found > Searching for RSHA's default files and dir... nothing found > Searching for RH-Sharpe's default files... nothing found > Searching for Ambient's rootkit (ark) default files and dirs... nothing > found > Searching for suspicious files and dirs, it may take a while... > /usr/lib/j2se/1.3/bin/.java_wrapper > /usr/lib/j2se/1.3/jre/bin/.java_wrapper > /usr/lib/transgaming_cedega/.transgaming > /usr/lib/transgaming_cedega/.transgaming > Searching for LPD Worm files and dirs... nothing found > Searching for Ramen Worm files and dirs... nothing found > Searching for Maniac files and dirs... nothing found > Searching for RK17 files and dirs... nothing found > Searching for Ducoci rootkit... nothing found > Searching for Adore Worm... nothing found > Searching for ShitC Worm... nothing found > Searching for Omega Worm... nothing found > Searching for Sadmind/IIS Worm... nothing found > Searching for MonKit... nothing found > Searching for Showtee... Warning: Possible Showtee Rootkit installed > Searching for OpticKit... nothing found > Searching for T.R.K... nothing found > Searching for Mithra... nothing found > Searching for OBSD rk v1... nothing found > Searching for LOC rootkit ... nothing found > Searching for Romanian rootkit ... /usr/include/file.h > /usr/include/proc.h > Searching for Suckit rootkit ... nothing found > Searching for Volc rootkit ... nothing found > Searching for Gold2 rootkit ... nothing found > Searching for TC2 Worm default files and dirs... nothing found > Searching for Anonoying rootkit default files and dirs... nothing found > Searching for ZK rootkit default files and dirs... nothing found > Searching for ShKit rootkit default files and dirs... nothing found > Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... not infected > Checking `lkm'... You have 2 process hidden for ps command > Warning: Possible LKM Trojan installed > Checking `rexedcs'... not found > Checking `sniffer'... Checking `w55808'... not infected > Checking `wted'... nothing deleted > Checking `scalper'... not infected > Checking `slapper'... not infected > Checking `z2'... nothing deleted > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
