Re: how to fix rootkit?
On 2/8/12 09:53 , email@example.com wrote:
Today I found next things at squeeze. Please help to fix, I've no
experience in such tasks.
As Fabian already mentioned, you cannot know what an attacker changed in
the system (especially now that chkrootkit found a rootkit), therefore
you cannot trust anything on the system that you might use for
"repairing" it. The only way is to do a clean reinstall and restore user
data from backup. You could also get the configuration files from
backup, but check manually for changes (your latest backups might have
been made after the attack, the bad guy might have changed some
configuration files as well). I'd check for executable files in users'
directories and contents of their .profile and .bashrc as well.
The question is how the intruder got root access in the first place -
without finding the fixing that, you might get "owned" again, as soon as
you reinstall the system. Perhaps chapter 11 of the "Securing Debian
Manual" can help: