Re: chkrootkit infected ports 2881 - conundrum
2008/8/26 Adam Hardy <email@example.com>:
> The more I think about it, the more I believe some sharp hacker out there
> could easily have fooled me for months.
> Any suggestions now?
1) Be slightly less paranoid :)
2) Assuming your server is hosted with VPSVille, Slicehost or some
other hosting company that doesn't give you physical access but does
have a facility for reinstalling your OS on demand, you could, in the
- Back up your data from it locally;
- Prepare a script that will run iptables to disable all connections
except SSH access and apt-get connections;
- Reinstall the OS;
- Immediately log in, upload the script and run it;
- apt-get install rkhunter;
- Generate the hashes (if you're on Etch, this won't work, as the
rkhunter in Etch doesn't include the -propupd option, but on Lenny it
should be possible. For ways to generate rkhunter hashes on Etch, see
my recent mailing list thread, "rkhunter on Etch");
- download copies to your local machine.
Congratulations. Unless someone rooted you in the few minutes it took
to do this (this is very unlikely unless your hosting provider
installs the OS in some crazy-ass wide-open-to-exploitation fashion -
see point 1 above), you now have a set of hashes you can trust, and
which you can write to RO media from your local machine.
NB. I haven't tried this myself, but I'm putting together a plan for
securing my own VPS, and this is the general principle (I should add,
I won't be relying solely on rkhunter!). So, if anyone reads the above
and spots that I've missed something crucial, please let me know :)