[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chkrootkit infected ports 2881

Thomas Preud'homme on 04/08/08 11:48, wrote:
Le lundi 4 août 2008, Adam Hardy a écrit :
Adam Hardy on 03/08/08 14:13, wrote:
My webserver system is actually a UML slice of a system at
memset.co.uk and all it does is run Apache Tomcat and sshd and the
stuff from memset - I thought it was pretty safe until I came back
today and found my nightly email report from chkrootkit said:

The following suspicious files and directories were found:


The .ramfs started appearing when I upgraded chkrootkit, so I never
worried about it, but Friday night's INFECTED alert was a slap in
the face with a wet fish. Saturday night's report went back to
normal - no mention of the port.

I scanned it from grc.com/x/portprobe and it came back as closed.

The only mention I can find in the logs is:

root@hardyaa1:~# grep 2881 /var/log/*
    2881   660   1 root       disk               0 Wed Apr 30
11:32:37 2008 /dev/rd/c1d30

and that's a PID, not a port, right?

So how bad does this look? Should I clean the system? If it is
rooted, how can I tell what the security flaw was? My password at
that point (since changed) was CE0dff2*£ so if it was a brute force
attack, then wow, they did well.
I talked to the support at the hosting company and they looked at the
system and said they couldn't see anything wrong with it - but they
can re-image it for me which normally costs a fee.

Is it worth re-imaging my system and re-installing everything?

I still have no idea what chkrootkit means when it says a port is


I don't think it's that important. chkrootkit seems a little hazardous since there was a bug about chkrootkit killing a random process (in fact one of its test was sending a signal to process 12345, this bug has been corrected).

I think a good anti-rootkit should be launched from another system to be sure it's not deactivated by a smart rootkit.

Hopefully that is simpler than it sounds! What anti-rootkit are you thinking of? I use chkrootkit and rkhunter.


Reply to: