Re: chkrootkit infected ports 2881

[Adam Hardy <adam.ant@cyberspaceroad.com>]

Adam Hardy on 03/08/08 14:13, wrote:
> My webserver system is actually a UML slice of a system at memset.co.uk 
> and all it does is run Apache Tomcat and sshd and the stuff from memset 
> - I thought it was pretty safe until I came back today and found my 
> nightly email report from chkrootkit said:
>
> The following suspicious files and directories were found:
> /lib/init/rw/.ramfs
>
> INFECTED (PORTS:  2881)
>
> The .ramfs started appearing when I upgraded chkrootkit, so I never 
> worried about it, but Friday night's INFECTED alert was a slap in the 
> face with a wet fish. Saturday night's report went back to normal - no 
> mention of the port.
>
> I scanned it from grc.com/x/portprobe and it came back as closed.
>
> The only mention I can find in the logs is:
>
> root@hardyaa1:~# grep 2881 /var/log/*
> /var/log/setuid.today:
>     2881   660   1 root       disk               0 Wed Apr 30 11:32:37 
> 2008 /dev/rd/c1d30
> r
>
> and that's a PID, not a port, right?
>
> So how bad does this look? Should I clean the system? If it is rooted, 
> how can I tell what the security flaw was? My password at that point 
> (since changed) was CE0dff2*£ so if it was a brute force attack, then 
> wow, they did well.

I talked to the support at the hosting company and they looked at the system and 
said they couldn't see anything wrong with it - but they can re-image it for me 
which normally costs a fee.

Is it worth re-imaging my system and re-installing everything?

I still have no idea what chkrootkit means when it says a port is infected.


Adam