Hello,
I just wanted to mention to the original poster that there are cases of
false positives regarding the line "You have X process hidden for
readdir command" from chkrootkit. You can read about them in google.
I've also experienced such false positives before.
Still, as the others advice...you should of course still take the
necessary precaution steps. I just thought to mention about false
positives because I've never actually seem to have reliable output with
rkhunter or chkrootkit and hardly rely on them anymore...and I read
about people who feel the same way. I like using file integrity checkers
like tripwire instead.
-Paul
Xander Solis wrote:
Hi,
You could try to both into single user mode, and copy ps from another
linux machine to check and verify the same output. Dont have the new
ps in the same path as the old ps. Or execute the command
directly(./ps). You could also use the check-ps, as another
alternative, to check and verify the running
processes(http://www.la-samhna.de/misc/)
Next step is to check and verify if all data backups are intact, you
would need it especially if its a production server :) You may
eventually need to re-install the server, as you may not know totally,
what other malicious code, is in that machine, if you dont employ HIDS
to verify the filesystem integrity.
Linux kernel Rootkits are tricky in that they can change the IDT of
the running linux machine in realtime, or even if you try to run
debugging tools, you will never know, if the actual memory dump you
see is of the system.
More detailed info are here, on how to handle these incidents:
http://www.securityfocus.com/infocus/1738
You can check phrack69, on how this technology is done.
Detecting kernel level rootkits:
http://la-samhna.de/library/rootkits/detect.html
Hope this helps dude.. keep backups in the future :)
Xander
On 4/28/06, seekuel <[EMAIL PROTECTED]> wrote:
Hi guys,
I'm using CentOS 4.3 as my email server, postfix as MTA, and
open-xchange as webmail.
I installed chkrootkit and rkhunter. The configuration is rkhunter
and chkrootkit will execute evry 3am and email its result to the
administrator account.
I found this report with chkrootkit and also was surprised that and
email account was
created. I think that the system is compramized.
How do I deal with this issue?
A help is well appreciated.
Thanks,
Sandeil
Here is the output of chkrootkit:
---------
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have 2 process hidden for readdir command
You have 2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... eth0:
PF_PACKET(/usr/sbin/snort-plain)
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
plug@lists.linux.org.ph (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph
--
--
Xander R. Solis
-----------------------
xrsolis.blogspot.com
"Don't part with your illusions. When they are gone you may still
exist, but you have ceased to live."
GNUPG Key: 1024D/5257774A
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
plug@lists.linux.org.ph (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
plug@lists.linux.org.ph (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph
