Re: how to fix rootkit?
On 2/8/12 09:53 , email@example.com wrote:
Today I found next things at squeeze. Please help to fix, I've no
experience in such tasks.
Checking `ifconfig'... INFECTED
I was wondering if we're not losing perspective of what is realistic in
a certain situation, especially for people without previous experience
in handling such attacks and whose job is not necessarily a full-time
system administrator. Sometimes we have other people needing that
server back as soon as possible, and a schedule to keep. Spending a few
weeks with forensic analysis isn't always an option, when the
probability of actually finding anything useful being low.
Your signature mentions you're a senior Java developer/architect - I
assume you got a test or production server cracked. My advice is to ask
your manager how he perceives the risk of this happening again. If he's
ready to invest some money, find a local computer security company which
does Linux; they will image the cracked system and analyse it, while you
can do a clean reinstall and get on with your normal development
activities. If your company isn't prepared to invest any money in this,
just reinstall clean and monitor the server in the coming months,
looking for unusual things like rootkit warnings or funny things in the
logs, to make sure the server wasn't compromised again.
If this is a server used for your Java code, perhaps it would be worth
looking into vulnerabilities in your own Java code, or in the JRE. I
know there are a lot of enterprise Java apps needing older (not longer
supported) versions of the JDK, like 1.4 or so, and Java vulnerabilities
are not exactly rare. If someone manages to load his own .class into
your app and execute it on the server, root access is just one local
priviledge escalation away.
If you do find it was an unpatched vulnerability in Debian, instead of
your own code, please contact the Debian security team, so they can fix
it - we'll all benefit from it.