My webserver system is actually a UML slice of a system at memset.co.uk and all
it does is run Apache Tomcat and sshd and the stuff from memset - I thought it
was pretty safe until I came back today and found my nightly email report from
chkrootkit said:
The following suspicious files and directories were found:
/lib/init/rw/.ramfs
INFECTED (PORTS: 2881)
The .ramfs started appearing when I upgraded chkrootkit, so I never worried
about it, but Friday night's INFECTED alert was a slap in the face with a wet
fish. Saturday night's report went back to normal - no mention of the port.
I scanned it from grc.com/x/portprobe and it came back as closed.
The only mention I can find in the logs is:
[EMAIL PROTECTED]:~# grep 2881 /var/log/*
/var/log/setuid.today:
2881 660 1 root disk 0 Wed Apr 30 11:32:37 2008
/dev/rd/c1d30
r
and that's a PID, not a port, right?
So how bad does this look? Should I clean the system? If it is rooted, how can I
tell what the security flaw was? My password at that point (since changed) was
CE0dff2*£ so if it was a brute force attack, then wow, they did well.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
