[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: Is my system compromised



I am running a server inside of my LAN which is protected by a firewall (my dsl router). Ports for dns,ftp ssh,http and https are forwarded to my debian machine.


Yesterday I found a script distwatch in cron.daily which was a script to put the rootkit back if an admin has removed it (or so the text at the beginning of the script tells me). I also saw the word “suckit” in this script which is a rootkit I think. I was wrong when I said chkrootkit found nothing, it found 2 processes hidden for ps, keventd and kflushd (I’m not sure because I shutdown my server to figure out how to deal with this problem).


In total there were two daemons which had no man pages


Killd (with googling I saw something abount denial of service attacks, but I’m not sure)

Distwatchd (which I could find nothing about googling)


My question now is how to disinfect my system, how do I locate keventd and kflushd and how do I know for sure my system is clean ?


Thanks for responding everyone J





Reply to: