On Fri, 26 Nov 2010 18:53:05 +0000, James Brown wrote: > I have a VDS under Debian Lenny, > ~# uname -a > Linux 2.6.18-028stab070.4-ent #1 SMP Tue Aug 17 19:03:05 MSD 2010 i686 > GNU/Linux > > I have received the next messages from crondaemon: > /etc/cron.daily/rkhunter: > Internal error! > Internal error! > ................................. > > and from rkhunter that my server have problems which you can see in the > attached log inculding detected SHV4 Rootkit and SHV5 Rootkit
(...) JFYI, there was a recent exploit for ProFtpd: http://www.exploit-db.com/exploits/15449/ Also followed here: proftpd: IAC remote root exploit http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602769 Not sure if lenny is also affected :-? (...) > Found HIDDEN PID: 1431 > Command: proftpd: connected: 72.159.168.50 (72.159.168.50:47525) > > Found HIDDEN PID: 1759 > Command: proftpd: connected: 72.159.168.50 (72.159.168.50:33625) Check your "/var/log/auth.log" and "history" but your logs doesn't sound very good :-( Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.11.26.19.21...@gmail.com
