Monday 04 August 2008, Adam Hardy wrote : > Thomas Preud'homme on 04/08/08 11:48, wrote: > > Le lundi 4 août 2008, Adam Hardy a écrit : > >> Adam Hardy on 03/08/08 14:13, wrote: > >>> My webserver system is actually a UML slice of a system at > >>> memset.co.uk and all it does is run Apache Tomcat and sshd and > >>> the stuff from memset - I thought it was pretty safe until I came > >>> back today and found my nightly email report from chkrootkit > >>> said: > >>> > >>> The following suspicious files and directories were found: > >>> /lib/init/rw/.ramfs > >>> > >>> INFECTED (PORTS: 2881) > >>> > >>> The .ramfs started appearing when I upgraded chkrootkit, so I > >>> never worried about it, but Friday night's INFECTED alert was a > >>> slap in the face with a wet fish. Saturday night's report went > >>> back to normal - no mention of the port. > >>> > >>> I scanned it from grc.com/x/portprobe and it came back as closed. > >>> > >>> The only mention I can find in the logs is: > >>> > >>> root@hardyaa1:~# grep 2881 /var/log/* > >>> /var/log/setuid.today: > >>> 2881 660 1 root disk 0 Wed Apr 30 > >>> 11:32:37 2008 /dev/rd/c1d30 > >>> r > >>> > >>> and that's a PID, not a port, right? > >>> > >>> So how bad does this look? Should I clean the system? If it is > >>> rooted, how can I tell what the security flaw was? My password at > >>> that point (since changed) was CE0dff2*£ so if it was a brute > >>> force attack, then wow, they did well. > >> > >> I talked to the support at the hosting company and they looked at > >> the system and said they couldn't see anything wrong with it - but > >> they can re-image it for me which normally costs a fee. > >> > >> Is it worth re-imaging my system and re-installing everything? > >> > >> I still have no idea what chkrootkit means when it says a port is > >> infected. > >> > >> > >> Adam > > > > I don't think it's that important. chkrootkit seems a little > > hazardous since there was a bug about chkrootkit killing a random > > process (in fact one of its test was sending a signal to process > > 12345, this bug has been corrected). > > > > I think a good anti-rootkit should be launched from another system > > to be sure it's not deactivated by a smart rootkit. > > Hopefully that is simpler than it sounds! What anti-rootkit are you > thinking of? I use chkrootkit and rkhunter. Unfortunetely I haven't any reference but hoping a rootkit on your computer being launched once a day will protect you is like hoping an anti-virus will protect you even if a smart virus infect your computer between 2 launch. It's better than nothing but I don't think it's sufficient. I think you can safely discard this warning from chkrootkit or if you're cautious (it's very good) then ask to the maintener or better to the upstream developer of this software. > > > Adam Regards, Thomas Preud'homme -- Why Debian : http://www.debian.org/intro/why_debian
Attachment:
signature.asc
Description: This is a digitally signed message part.