Le lundi 4 août 2008, Adam Hardy a écrit : > Adam Hardy on 03/08/08 14:13, wrote: > > My webserver system is actually a UML slice of a system at > > memset.co.uk and all it does is run Apache Tomcat and sshd and the > > stuff from memset - I thought it was pretty safe until I came back > > today and found my nightly email report from chkrootkit said: > > > > The following suspicious files and directories were found: > > /lib/init/rw/.ramfs > > > > INFECTED (PORTS: 2881) > > > > The .ramfs started appearing when I upgraded chkrootkit, so I never > > worried about it, but Friday night's INFECTED alert was a slap in > > the face with a wet fish. Saturday night's report went back to > > normal - no mention of the port. > > > > I scanned it from grc.com/x/portprobe and it came back as closed. > > > > The only mention I can find in the logs is: > > > > root@hardyaa1:~# grep 2881 /var/log/* > > /var/log/setuid.today: > > 2881 660 1 root disk 0 Wed Apr 30 > > 11:32:37 2008 /dev/rd/c1d30 > > r > > > > and that's a PID, not a port, right? > > > > So how bad does this look? Should I clean the system? If it is > > rooted, how can I tell what the security flaw was? My password at > > that point (since changed) was CE0dff2*£ so if it was a brute force > > attack, then wow, they did well. > > I talked to the support at the hosting company and they looked at the > system and said they couldn't see anything wrong with it - but they > can re-image it for me which normally costs a fee. > > Is it worth re-imaging my system and re-installing everything? > > I still have no idea what chkrootkit means when it says a port is > infected. > > > Adam I don't think it's that important. chkrootkit seems a little hazardous since there was a bug about chkrootkit killing a random process (in fact one of its test was sending a signal to process 12345, this bug has been corrected). I think a good anti-rootkit should be launched from another system to be sure it's not deactivated by a smart rootkit. Regards, Thomas Preud'homme -- Why Debian : http://www.debian.org/intro/why_debian
Description: This is a digitally signed message part.